{"id":35840,"date":"2023-01-24T03:59:54","date_gmt":"2023-06-22T05:14:11","guid":{"rendered":"https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/"},"modified":"2024-04-29T11:12:57","modified_gmt":"2024-04-29T03:12:57","slug":"%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8","status":"publish","type":"post","link":"https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/","title":{"rendered":"\u6211\u5728AWS\u4e0a\u5c1d\u8bd5\u4e86\u201c\u4ee5\u6700\u56f0\u96be\u7684\u65b9\u5f0f\u90e8\u7f72Kubernetes\u201d\uff08\u9644\u5168\u6587\u7ffb\u8bd1\uff09"},"content":{"rendered":"

\u4f60\u662f\u5426\u4e86\u89e3”kubernetes the hard way”\uff1f
\n\u8fd9\u662f\u4e00\u4e2a\u901a\u8fc7\u624b\u52a8\u6784\u5efakubernetes\u96c6\u7fa4\u6765\u589e\u8fdb\u5bf9kubernetes\u7684\u7406\u89e3\u610f\u56fe\u800c\u521b\u5efa\u7684\u6559\u7a0b\u3002<\/p>\n

\u7531\u4e8e\u4ee5\u524d\u5bf9Kubernetes\u53ea\u6709\u4e00\u4e9b\u6a21\u7cca\u7684\u4e86\u89e3\uff0c\u6211\u51b3\u5b9a\u5c1d\u8bd5\u505a\u4e00\u904d\u300aKubernetes the hard way\u300b\u4f5c\u4e3a\u590d\u4e60\u3002<\/p>\n

\u539f\u6559\u7a0b\u662f\u5728GCP\u73af\u5883\u4e0b\u8fdb\u884c\u6784\u5efa\u7684\uff0c\u4f46\u7531\u4e8e\u6709\u5fd7\u8005\u4e3aAWS\u73af\u5883\u521b\u5efa\u4e86\u6559\u7a0b\uff0c\u6240\u4ee5\u8fd9\u6b21\u6211\u5c1d\u8bd5\u4e86\u90a3\u4e2a\u6559\u7a0b\u3002
\n\u53e6\u5916\uff0c\u6211\u60f3\u987a\u4fbf\u5236\u4f5c\u4e86AWS\u6559\u7a0b\u7684\u65e5\u6587\u7248\u3002<\/p>\n

\u6211\u4e2a\u4eba\u89c9\u5f97\u8fd9\u4e2a\u7ecf\u5386\u5f88\u6709\u6536\u83b7\uff0c\u5bf9\u5b66\u4e60\u5f88\u6709\u5e2e\u52a9\uff0c\u6240\u4ee5\u6211\u63a8\u8350\u5927\u5bb6\u4e5f\u8bd5\u4e00\u8bd5\u3002\u5982\u679c\u5927\u5bb6\u6709\u5174\u8da3\u7684\u8bdd\uff0c\u8bf7\u4e00\u5b9a\u4e0d\u8981\u9519\u8fc7\u3002<\/p>\n

\u540c\u65f6\uff0c\u6211\u5728\u505a\u6559\u7a0b\u7684\u8fc7\u7a0b\u4e2d\u67e5\u770b\u4e86\u4ee5\u4e0b\u6761\u76ee\u3002\u8fd9\u4e9b\u4e5f\u975e\u5e38\u6709\u5b66\u4e60\u4ef7\u503c\uff0c\u52a1\u5fc5\u8981\u770b\u4e00\u770b\u3002<\/p>\n

Kubernetes\u7684\u8270\u96be\u4e4b\u8def
\nKubernetes: \u7ec4\u6210\u7ec4\u4ef6\u5217\u8868
\nKubernetes\u7684TLS\u8bc1\u4e66<\/p>\n

\u6b64\u6559\u7a0b\u662f\u57fa\u4e8e\u539f\u7248\u3001\u65e5\u8bed\u7ffb\u8bd1\u7248(GCP\u73af\u5883)\u548cAWS\u6559\u7a0b\u800c\u521b\u5efa\u7684\uff0c\u4e0d\u662f\u6211\u4ece\u96f6\u5f00\u59cb\u521b\u5efa\u7684\u3002<\/p>\n

\n

00- \u4ee5\u201cKubernetes:\u4e0d\u95f4\u65ad\u7684\u8270\u96be\u4e4b\u8def\u201d\u4e3a\u9898 (\u306f\u3058\u3081\u306b)<\/h1>\n

\u5728Kubernetes Hard Way\u4e2d\uff0c\u6211\u4eec\u5c06\u4ece\u96f6\u5f00\u59cb\u914d\u7f6eKubernetes\u3002<\/p>\n

\u56e0\u6b64\uff0c\u8fd9\u4e2a\u5b9e\u9a8c\u5ba4\u5e76\u4e0d\u662f\u4e3a\u90a3\u4e9b\u5bfb\u627e\u521b\u5efa\u5b8c\u5168\u81ea\u52a8\u5316\u4e14\u53d7\u7ba1\u7406\u7684Kubernetes\u96c6\u7fa4\u547d\u4ee4\u7684\u4eba\u800c\u8bbe\u7acb\u7684\u3002<\/p>\n

\u8fd9\u4e2aKubernetes The Hard Way\u662f\u4e13\u4e3a\u5b66\u4e60\u800c\u4f18\u5316\u7684\u3002
\n\u5b83\u5c55\u793a\u4e86\u4e00\u4e2a\u6f2b\u957f\u7684\u8fc7\u7a0b\uff0c\u4ee5\u786e\u4fdd\u5bf9\u6784\u5efaKubernetes\u96c6\u7fa4\u6240\u9700\u7684\u6bcf\u4e2a\u4efb\u52a1\u6709\u900f\u5f7b\u7684\u7406\u89e3\u3002<\/p>\n

\u5e0c\u671b\u8bfb\u8005<\/h2>\n

\u6211\u5011\u6b63\u5728\u8a08\u5283\u652f\u63f4\u6b63\u5f0f\u4f7f\u7528\u7684Kubernetes\u96c6\u7fa4\uff0c\u4e26\u4e14\u9019\u662f\u91dd\u5c0d\u90a3\u4e9b\u5e0c\u671b\u4e86\u89e3Kubernetes\u96c6\u7fa4\u7684\u6240\u6709\u7d44\u4ef6\u662f\u5982\u4f55\u7d44\u5408\u5728\u4e00\u8d77\u7684\u4eba\u3002<\/p>\n

\u8fd9\u6b21\u8981\u51fa\u73b0\u7684\u805a\u7c7b\u7684\u8be6\u7ec6\u4fe1\u606f\u3002<\/h2>\n

\u901a\u8fc7Kubernetes The Hard Way\uff0c\u6211\u4eec\u53ef\u4ee5\u6784\u5efa\u4e00\u4e2a\u9ad8\u53ef\u7528\u7684Kubernetes\u96c6\u7fa4\uff0c\u5b9e\u73b0\u7ec4\u4ef6\u4e4b\u95f4\u7684\u7aef\u5230\u7aef\u52a0\u5bc6\u548cRBAC\u8ba4\u8bc1\u3002<\/p>\n

\u4e0b\u9762\u662f\u4f7f\u7528\u7684\u7ec4\u4ef6\u53ca\u5176\u7248\u672c\u5217\u8868\u3002<\/p>\n

Kubernetes 1.15.3
\ncontainerd\u5bb9\u5668\u8fd0\u884c\u65f61.2.9
\ngVisor 08879266fef3a67fac1a77f1ea133c3ac75759dd
\nCNI\u5bb9\u5668\u7f51\u7edc0.8.2
\netcd 3.3.10<\/p>\n

\u5728\u8fd9\u4e2a\u6559\u7a0b\u4e2d\uff0c\u6211\u4eec\u5c06\u4f7f\u7528AWS\u3002<\/p>\n

\u73b0\u5728\uff0c\u8ba9\u6211\u4eec\u5f00\u59cb\u5427\uff01<\/p>\n

01-\u5148\u51b3\u6761\u4ef6<\/h1>\n

\u4e9a\u9a6c\u900a\u4e91\u670d\u52a1<\/h2>\n

\u5728\u8fd9\u4e2a\u6559\u7a0b\u4e2d\uff0c\u6211\u4eec\u5c06\u4f7f\u7528\u4e9a\u9a6c\u900a\u7f51\u7edc\u670d\u52a1\uff08AWS\uff09\u6765\u542f\u52a8\u4e00\u4e2aKubernetes\u96c6\u7fa4\u3002
\n\u901a\u8fc7\u8fd9\u4e2a\u6559\u7a0b\uff0c\u6bcf24\u5c0f\u65f6\u7684\u8d39\u7528\u4e0d\u8d85\u8fc72\u7f8e\u5143\u3002<\/p>\n

\u6b64\u5916\uff0c\u7531\u4e8e\u672c\u6b21\u4f7f\u7528\u7684\u8d44\u6e90\u8d85\u51fa\u4e86AWS\u7684\u514d\u8d39\u9650\u989d\uff0c\u8bf7\u5728\u6559\u7a0b\u7ed3\u675f\u540e\u6e05\u7406\u6240\u521b\u5efa\u7684\u8d44\u6e90\uff0c\u4ee5\u9632\u4ea7\u751f\u4e0d\u5fc5\u8981\u7684\u8d39\u7528\u3002\u8bf7\u52a1\u5fc5\u6ce8\u610f\u3002<\/p>\n

\u4e9a\u9a6c\u900a\u7f51\u7edc\u670d\u52a1\u547d\u4ee4\u884c\u754c\u9762<\/h2>\n

\u8bf7\u5728\u90e8\u7f72\u7528\u5b9e\u4f8b\uff08\u542f\u52a8\u4e00\u4e2a\u9002\u5f53\u7684EC2\u5b9e\u4f8b\uff09\u4e0a\u6309\u7167\u4ee5\u4e0b\u6b65\u9aa4\u6267\u884c\u3002
\n\u8fd9\u4e2a\u90e8\u7f72\u7528\u5b9e\u4f8b\u662f\u4e3a\u4e86\u8fdb\u884c\u96c6\u7fa4\u542f\u52a8\u7684\u5404\u79cd\u914d\u7f6e\u800c\u51c6\u5907\u7684\uff0c\u4e0d\u662fkubernetes\u96c6\u7fa4\u7684\u7ec4\u4ef6\u3002<\/p>\n

\u5b89\u88c5 AWS CLI<\/h3>\n

\u6839\u636eAWS\u5b98\u65b9\u6587\u6863\u7684\u6307\u793a\uff0c\u5b89\u88c5AWS CLI\u5e76\u8fdb\u884c\u5fc5\u8981\u7684\u914d\u7f6e\u3002<\/p>\n

\u5b89\u88c5\u5b8c\u6210\u540e\uff0c\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u786e\u8ba4AWS CLI\u7684\u6709\u6548\u6027\u3002<\/p>\n

aws --version\r\n<\/code><\/pre>\n
\u8bbe\u5b9a\u9ed8\u8ba4\u5730\u533a<\/h3>\n
\u5728\u6b64\u6559\u7a0b\u4e2d\uff0c\u60a8\u53ef\u4ee5\u8bbe\u7f6e\u9ed8\u8ba4\u7684\u533a\u57df\u3002<\/p>\n
AWS_REGION=us-west-1\r\naws configure set default.region $AWS_REGION\r\n<\/code><\/pre>\n
\u4f7f\u7528tmux\u53ef\u4ee5\u5e76\u884c\u8fd0\u884c\u547d\u4ee4\u7684\u529f\u80fd\u3002<\/h2>\n
\u5982\u679c\u4f60\u5bf9\u6b64\u611f\u5174\u8da3\u7684\u8bdd\uff0c\u6211\u5efa\u8bae\u4f60\u53bb\u53c2\u8003\u4e0b\u9762\u5217\u51fa\u7684\u5185\u5bb9\u3002<\/p>\n
02-\u5b89\u88c5\u5ba2\u6237\u7aef\u5de5\u5177<\/h1>\n
\u5728\u8fd9\u4e2a\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u5b89\u88c5cfssl\u3001cfssljson\u548ckubectl\u3002<\/p>\n
CFSSL\u548cCFSSLJSON\u7684\u5b89\u88c5<\/h2>\n
cfssl\u548ccfssljson\u7528\u4e8e\u642d\u5efaPKI\u73af\u5883\u548c\u53d1\u884cTLS\u8bc1\u4e66\u3002<\/p>\n
\u5728OS X\u4e0a\u7684\u5b89\u88c5<\/h3>\n
curl -o cfssl https:\/\/pkg.cfssl.org\/R1.2\/cfssl_darwin-amd64\r\ncurl -o cfssljson https:\/\/pkg.cfssl.org\/R1.2\/cfssljson_darwin-amd64\r\n<\/code><\/pre>\n
chmod +x cfssl cfssljson\r\n<\/code><\/pre>\n
sudo mv cfssl cfssljson \/usr\/local\/bin\/\r\n<\/code><\/pre>\n
\u5982\u679c\u60a8\u5728\u4f7f\u7528OS X\u65f6\u5c1d\u8bd5\u9884\u7f16\u8bd1\u5b89\u88c5\uff0c\u53ef\u80fd\u4f1a\u9047\u5230\u95ee\u9898\u3002\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u8bf7\u4f7f\u7528Homebrew\u8fdb\u884c\u5b89\u88c5\u3002<\/p>\n
brew install cfssl\r\n<\/code><\/pre>\n
\u5728Linux\u4e0a\u5b89\u88c5<\/h3>\n
wget -q --show-progress --https-only --timestamping \\\r\n  https:\/\/pkg.cfssl.org\/R1.2\/cfssl_linux-amd64 \\\r\n  https:\/\/pkg.cfssl.org\/R1.2\/cfssljson_linux-amd64\r\n<\/code><\/pre>\n
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64\r\n<\/code><\/pre>\n
sudo mv cfssl_linux-amd64 \/usr\/local\/bin\/cfssl\r\n<\/code><\/pre>\n
sudo mv cfssljson_linux-amd64 \/usr\/local\/bin\/cfssljson\r\n<\/code><\/pre>\n
\u786e\u5b9a<\/h3>\n
\u786e\u8ba4 cfssl \u7684\u7248\u672c\u662f\u5426\u5927\u4e8e\u7b49\u4e8e1.2.0\u3002<\/p>\n
% cfssl version\r\nVersion: 1.2.0\r\nRevision: dev\r\nRuntime: go1.6\r\n<\/code><\/pre>\n
cfssljson\u6ca1\u6709\u663e\u793a\u7248\u672c\u7684\u547d\u4ee4\u3002<\/p>\n
kubectl\u7684\u5b89\u88c5<\/h2>\n
kubectl\u662f\u4e00\u4e2a\u7528\u4e8e\u4e0eKubernetes API\u670d\u52a1\u5668\u8fdb\u884c\u901a\u4fe1\u7684\u547d\u4ee4\u884c\u5de5\u5177\u3002
\n\u6b64\u6b21\u9700\u8981\u7248\u672c1.15.3\u6216\u66f4\u9ad8\u7248\u672c\u3002<\/p>\n
\u5728OS X\u4e0a\u5b89\u88c5<\/h3>\n
curl -o kubectl https:\/\/storage.googleapis.com\/kubernetes-release\/release\/v1.15.3\/bin\/darwin\/amd64\/kubectl\r\n<\/code><\/pre>\n
chmod +x kubectl\r\n<\/code><\/pre>\n
sudo mv kubectl \/usr\/local\/bin\/\r\n<\/code><\/pre>\n
\u5728Linux\u7cfb\u7edf\u4e0a\u8fdb\u884c\u5b89\u88c5\u3002<\/h3>\n
wget https:\/\/storage.googleapis.com\/kubernetes-release\/release\/v1.15.3\/bin\/linux\/amd64\/kubectl\r\n<\/code><\/pre>\n
chmod +x kubectl\r\n<\/code><\/pre>\n
sudo mv kubectl \/usr\/local\/bin\/\r\n<\/code><\/pre>\n
\u786e\u8ba4<\/h3>\n
\u786e\u8ba4\u5b89\u88c5\u7684kubectl\u7248\u672c\u662f\u5426\u9ad8\u4e8e1.15.3\u3002<\/p>\n
% kubectl version --client\r\nClient Version: version.Info{Major:\"1\", Minor:\"15\", GitVersion:\"v1.15.3\", GitCommit:\"2d3c76f9091b6bec110a5e63777c332469e0cba2\", GitTreeState:\"clean\", BuildDate:\"2019-08-19T12:38:00Z\", GoVersion:\"go1.12.9\", Compiler:\"gc\", Platform:\"darwin\/amd64\"}\r\n<\/code><\/pre>\n
03-\u8d44\u6e90\u7684\u5206\u914d\u4e0e\u8ba1\u7b97<\/h1>\n
\u8bf7\u53c2\u8003\u539f\u59cb\u8d44\u6599\u6216\u8005\u786e\u8ba4\u8fd9\u91cc\u7684\u65e5\u6587\u7ffb\u8bd1\u6765\u4e86\u89e3\u6709\u5173\u8d44\u6e90\u7684\u8bf4\u660e\u3002
\n\u4e0b\u9762\u662f\u5728\u90e8\u7f72\u5b9e\u4f8b\u4e0a\u6267\u884c\u7684\u547d\u4ee4\u3002<\/p>\n
\u7f51\u7edc\u8fde\u63a5<\/h2>\n
\u865a\u62df\u79c1\u6709\u4e91 (VPC)<\/h3>\n
VPC_ID<\/span>=<\/span>$(<\/span>aws ec2 create-vpc --cidr-block<\/span> 10.240.0.0\/24 --output<\/span> text --query<\/span> 'Vpc.VpcId'<\/span>)<\/span>\r\naws ec2 create-tags --resources<\/span> ${<\/span>VPC_ID<\/span>}<\/span> --tags<\/span> Key<\/span>=<\/span>Name,Value=<\/span>kubernetes\r\naws ec2 modify-vpc-attribute --vpc-id<\/span> ${<\/span>VPC_ID<\/span>}<\/span> --enable-dns-support<\/span> '{\"Value\": true}'<\/span>\r\naws ec2 modify-vpc-attribute --vpc-id<\/span> ${<\/span>VPC_ID<\/span>}<\/span> --enable-dns-hostnames<\/span> '{\"Value\": true}'<\/span>\r\n<\/code><\/pre>\n
\u5b50\u7f51<\/h3>\n
SUBNET_ID<\/span>=<\/span>$(<\/span>aws ec2 create-subnet \\<\/span>\r\n  --vpc-id<\/span> ${<\/span>VPC_ID<\/span>}<\/span> \\<\/span>\r\n  --cidr-block<\/span> 10.240.0.0\/24 \\<\/span>\r\n  --output<\/span> text --query<\/span> 'Subnet.SubnetId'<\/span>)<\/span>\r\naws ec2 create-tags --resources<\/span> ${<\/span>SUBNET_ID<\/span>}<\/span> --tags<\/span> Key<\/span>=<\/span>Name,Value=<\/span>kubernetes\r\n<\/code><\/pre>\n
\u4e92\u8054\u7f51\u7f51\u5173<\/h3>\n
INTERNET_GATEWAY_ID<\/span>=<\/span>$(<\/span>aws ec2 create-internet-gateway --output<\/span> text --query<\/span> 'InternetGateway.InternetGatewayId'<\/span>)<\/span>\r\naws ec2 create-tags --resources<\/span> ${<\/span>INTERNET_GATEWAY_ID<\/span>}<\/span> --tags<\/span> Key<\/span>=<\/span>Name,Value=<\/span>kubernetes\r\naws ec2 attach-internet-gateway --internet-gateway-id<\/span> ${<\/span>INTERNET_GATEWAY_ID<\/span>}<\/span> --vpc-id<\/span> ${<\/span>VPC_ID<\/span>}<\/span>\r\n<\/code><\/pre>\n
\u8def\u7531\u8868<\/h3>\n
ROUTE_TABLE_ID<\/span>=<\/span>$(<\/span>aws ec2 create-route-table --vpc-id<\/span> ${<\/span>VPC_ID<\/span>}<\/span> --output<\/span> text --query<\/span> 'RouteTable.RouteTableId'<\/span>)<\/span>\r\naws ec2 create-tags --resources<\/span> ${<\/span>ROUTE_TABLE_ID<\/span>}<\/span> --tags<\/span> Key<\/span>=<\/span>Name,Value=<\/span>kubernetes\r\naws ec2 associate-route-table --route-table-id<\/span> ${<\/span>ROUTE_TABLE_ID<\/span>}<\/span> --subnet-id<\/span> ${<\/span>SUBNET_ID<\/span>}<\/span>\r\naws ec2 create-route --route-table-id<\/span> ${<\/span>ROUTE_TABLE_ID<\/span>}<\/span> --destination-cidr-block<\/span> 0.0.0.0\/0 --gateway-id<\/span> ${<\/span>INTERNET_GATEWAY_ID<\/span>}<\/span>\r\n<\/code><\/pre>\n
\u5b89\u5168\u7ec4<\/h3>\n
SECURITY_GROUP_ID<\/span>=<\/span>$(<\/span>aws ec2 create-security-group \\<\/span>\r\n  --group-name<\/span> kubernetes \\<\/span>\r\n  --description<\/span> \"Kubernetes security group\"<\/span> \\<\/span>\r\n  --vpc-id<\/span> ${<\/span>VPC_ID<\/span>}<\/span> \\<\/span>\r\n  --output<\/span> text --query<\/span> 'GroupId'<\/span>)<\/span>\r\naws ec2 create-tags --resources<\/span> ${<\/span>SECURITY_GROUP_ID<\/span>}<\/span> --tags<\/span> Key<\/span>=<\/span>Name,Value=<\/span>kubernetes\r\naws ec2 authorize-security-group-ingress --group-id<\/span> ${<\/span>SECURITY_GROUP_ID<\/span>}<\/span> --protocol<\/span> all --cidr<\/span> 10.240.0.0\/24\r\naws ec2 authorize-security-group-ingress --group-id<\/span> ${<\/span>SECURITY_GROUP_ID<\/span>}<\/span> --protocol<\/span> all --cidr<\/span> 10.200.0.0\/16\r\naws ec2 authorize-security-group-ingress --group-id<\/span> ${<\/span>SECURITY_GROUP_ID<\/span>}<\/span> --protocol<\/span> tcp --port<\/span> 22 --cidr<\/span> 0.0.0.0\/0\r\naws ec2 authorize-security-group-ingress --group-id<\/span> ${<\/span>SECURITY_GROUP_ID<\/span>}<\/span> --protocol<\/span> tcp --port<\/span> 6443 --cidr<\/span> 0.0.0.0\/0\r\naws ec2 authorize-security-group-ingress --group-id<\/span> ${<\/span>SECURITY_GROUP_ID<\/span>}<\/span> --protocol<\/span> tcp --port<\/span> 443 --cidr<\/span> 0.0.0.0\/0\r\naws ec2 authorize-security-group-ingress --group-id<\/span> ${<\/span>SECURITY_GROUP_ID<\/span>}<\/span> --protocol<\/span> icmp --port<\/span> -1<\/span> --cidr<\/span> 0.0.0.0\/0\r\n<\/code><\/pre>\n
\u521b\u5efaKubernetes\u516c\u5171\u8bbf\u95ee-\u521b\u5efa\u8d1f\u8f7d\u5747\u8861\u5668<\/h3>\n
  LOAD_BALANCER_ARN<\/span>=<\/span>$(<\/span>aws elbv2 create-load-balancer \\<\/span>\r\n    --name<\/span> kubernetes \\<\/span>\r\n    --subnets<\/span> ${<\/span>SUBNET_ID<\/span>}<\/span> \\<\/span>\r\n    --scheme<\/span> internet-facing \\<\/span>\r\n    --type<\/span> network \\<\/span>\r\n    --output<\/span> text --query<\/span> 'LoadBalancers[].LoadBalancerArn'<\/span>)<\/span>\r\n  TARGET_GROUP_ARN<\/span>=<\/span>$(<\/span>aws elbv2 create-target-group \\<\/span>\r\n    --name<\/span> kubernetes \\<\/span>\r\n    --protocol<\/span> TCP \\<\/span>\r\n    --port<\/span> 6443 \\<\/span>\r\n    --vpc-id<\/span> ${<\/span>VPC_ID<\/span>}<\/span> \\<\/span>\r\n    --target-type<\/span> ip \\<\/span>\r\n    --output<\/span> text --query<\/span> 'TargetGroups[].TargetGroupArn'<\/span>)<\/span>\r\n  aws elbv2 register-targets --target-group-arn<\/span> ${<\/span>TARGET_GROUP_ARN<\/span>}<\/span> --targets<\/span> Id<\/span>=<\/span>10.240.0.1{<\/span>0,1,2}<\/span>\r\n  aws elbv2 create-listener \\<\/span>\r\n    --load-balancer-arn<\/span> ${<\/span>LOAD_BALANCER_ARN<\/span>}<\/span> \\<\/span>\r\n    --protocol<\/span> TCP \\<\/span>\r\n    --port<\/span> 443 \\<\/span>\r\n    --default-actions<\/span> Type<\/span>=<\/span>forward,TargetGroupArn=<\/span>${<\/span>TARGET_GROUP_ARN<\/span>}<\/span> \\<\/span>\r\n    --output<\/span> text --query<\/span> 'Listeners[].ListenerArn'<\/span>\r\n<\/code><\/pre>\n
KUBERNETES_PUBLIC_ADDRESS<\/span>=<\/span>$(<\/span>aws elbv2 describe-load-balancers \\<\/span>\r\n  --load-balancer-arns<\/span> ${<\/span>LOAD_BALANCER_ARN<\/span>}<\/span> \\<\/span>\r\n  --output<\/span> text --query<\/span> 'LoadBalancers[].DNSName'<\/span>)<\/span>\r\n<\/code><\/pre>\n
\u6240\u6709\u7684\u5b9e\u4f8b<\/h2>\n
\u793a\u4f8b\u56fe\u50cf<\/h3>\n
IMAGE_ID<\/span>=<\/span>$(<\/span>aws ec2 describe-images --owners<\/span> 099720109477 \\<\/span>\r\n  --filters<\/span> \\<\/span>\r\n  'Name=root-device-type,Values=ebs'<\/span> \\<\/span>\r\n  'Name=architecture,Values=x86_64'<\/span> \\<\/span>\r\n  'Name=name,Values=ubuntu\/images\/hvm-ssd\/ubuntu-bionic-18.04-amd64-server-*'<\/span> \\<\/span>\r\n  | jq -r<\/span> '.Images|sort_by(.Name)[-1]|.ImageId'<\/span>)<\/span>\r\n<\/code><\/pre>\n
SSH\u5bc6\u94a5\u5bf9<\/h3>\n
aws ec2 create-key-pair --key-name<\/span> kubernetes --output<\/span> text --query<\/span> 'KeyMaterial'<\/span> ><\/span> kubernetes.id_rsa\r\nchmod <\/span>600 kubernetes.id_rsa\r\n<\/code><\/pre>\n
Kubernetes\u63a7\u5236\u8282\u70b9<\/h3>\n
\u8fd9\u6b21\u6211\u4eec\u5c06\u4f7f\u7528t3.micro\u5b9e\u4f8b\u3002<\/p>\n
for <\/span>i in <\/span>0 1 2;<\/span> do\r\n  <\/span>instance_id<\/span>=<\/span>$(<\/span>aws ec2 run-instances \\<\/span>\r\n    --associate-public-ip-address<\/span> \\<\/span>\r\n    --image-id<\/span> ${<\/span>IMAGE_ID<\/span>}<\/span> \\<\/span>\r\n    --count<\/span> 1 \\<\/span>\r\n    --key-name<\/span> kubernetes \\<\/span>\r\n    --security-group-ids<\/span> ${<\/span>SECURITY_GROUP_ID<\/span>}<\/span> \\<\/span>\r\n    --instance-type<\/span> t3.micro \\<\/span>\r\n    --private-ip-address<\/span> 10.240.0.1${<\/span>i<\/span>}<\/span> \\<\/span>\r\n    --user-data<\/span> \"name=controller-<\/span>${<\/span>i<\/span>}<\/span>\"<\/span> \\<\/span>\r\n    --subnet-id<\/span> ${<\/span>SUBNET_ID<\/span>}<\/span> \\<\/span>\r\n    --block-device-mappings<\/span>=<\/span>'{\"DeviceName\": \"\/dev\/sda1\", \"Ebs\": { \"VolumeSize\": 50 }, \"NoDevice\": \"\" }'<\/span> \\<\/span>\r\n    --output<\/span> text --query<\/span> 'Instances[].InstanceId'<\/span>)<\/span>\r\n  aws ec2 modify-instance-attribute --instance-id<\/span> ${<\/span>instance_id<\/span>}<\/span> --no-source-dest-check<\/span>\r\n  aws ec2 create-tags --resources<\/span> ${<\/span>instance_id<\/span>}<\/span> --tags<\/span> \"Key=Name,Value=controller-<\/span>${<\/span>i<\/span>}<\/span>\"<\/span>\r\n  echo<\/span> \"controller-<\/span>${<\/span>i<\/span>}<\/span> created \"<\/span>\r\ndone<\/span>\r\n<\/code><\/pre>\n
Kubernetes \u5de5\u4f5c\u8282\u70b9<\/h3>\n
for <\/span>i in <\/span>0 1 2;<\/span> do\r\n  <\/span>instance_id<\/span>=<\/span>$(<\/span>aws ec2 run-instances \\<\/span>\r\n    --associate-public-ip-address<\/span> \\<\/span>\r\n    --image-id<\/span> ${<\/span>IMAGE_ID<\/span>}<\/span> \\<\/span>\r\n    --count<\/span> 1 \\<\/span>\r\n    --key-name<\/span> kubernetes \\<\/span>\r\n    --security-group-ids<\/span> ${<\/span>SECURITY_GROUP_ID<\/span>}<\/span> \\<\/span>\r\n    --instance-type<\/span> t3.micro \\<\/span>\r\n    --private-ip-address<\/span> 10.240.0.2${<\/span>i<\/span>}<\/span> \\<\/span>\r\n    --user-data<\/span> \"name=worker-<\/span>${<\/span>i<\/span>}<\/span>|pod-cidr=10.200.<\/span>${<\/span>i<\/span>}<\/span>.0\/24\"<\/span> \\<\/span>\r\n    --subnet-id<\/span> ${<\/span>SUBNET_ID<\/span>}<\/span> \\<\/span>\r\n    --block-device-mappings<\/span>=<\/span>'{\"DeviceName\": \"\/dev\/sda1\", \"Ebs\": { \"VolumeSize\": 50 }, \"NoDevice\": \"\" }'<\/span> \\<\/span>\r\n    --output<\/span> text --query<\/span> 'Instances[].InstanceId'<\/span>)<\/span>\r\n  aws ec2 modify-instance-attribute --instance-id<\/span> ${<\/span>instance_id<\/span>}<\/span> --no-source-dest-check<\/span>\r\n  aws ec2 create-tags --resources<\/span> ${<\/span>instance_id<\/span>}<\/span> --tags<\/span> \"Key=Name,Value=worker-<\/span>${<\/span>i<\/span>}<\/span>\"<\/span>\r\n  echo<\/span> \"worker-<\/span>${<\/span>i<\/span>}<\/span> created\"<\/span>\r\ndone<\/span>\r\n<\/code><\/pre>\n
04-\u8fdb\u884c\u8ba4\u8bc1\u673a\u6784\uff08CA\uff09\u7684\u914d\u7f6e\u548c\u751f\u6210TLS\u8bc1\u4e66\u7684\u8fc7\u7a0b\u3002<\/h1>\n
\u5728\u8fd9\u4e2a\u8fc7\u7a0b\u4e2d\uff0c\u6211\u4eec\u5c06\u4f7f\u7528CloudFlare\u7684PKI\u5de5\u5177\u5305cfssl\u6765\u914d\u7f6ePKI\u57fa\u7840\u8bbe\u65bd\u3002\u7136\u540e\uff0c\u6211\u4eec\u5c06\u4f7f\u7528PKI\u57fa\u7840\u8bbe\u65bd\u521b\u5efa\u8ba4\u8bc1\u673a\u6784\uff0c\u5e76\u751f\u6210admin\u3001etcd\u3001kube-apiserver\u3001kube-controller-manager\u3001kube-scheduler\u3001kubelet\u548ckube-proxy\u7b49\u7ec4\u4ef6\u6240\u9700\u7684TLS\u8bc1\u4e66\u3002<\/p>\n
\u5efa\u7acb\u8ba4\u8bc1\u673a\u6784(CA)<\/h2>\n
\u5728\u8fd9\u4e2a\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u4e3a\u751f\u6210TLS\u8bc1\u4e66\u914d\u7f6e\u8ba4\u8bc1\u673a\u6784(CA)\u3002<\/p>\n
\u9996\u5148\uff0c\u751f\u6210CA\u8bbe\u7f6e\u6587\u4ef6\u3001CA\u81ea\u8eab\u7684\u8bc1\u4e66\u4ee5\u53ca\u79c1\u94a5\u3002<\/p>\n
cat > ca-config.json <<EOF\r\n{\r\n  \"signing\": {\r\n    \"default\": {\r\n      \"expiry\": \"8760h\"\r\n    },\r\n    \"profiles\": {\r\n      \"kubernetes\": {\r\n        \"usages\": [\"signing\", \"key encipherment\", \"server auth\", \"client auth\"],\r\n        \"expiry\": \"8760h\"\r\n      }\r\n    }\r\n  }\r\n}\r\nEOF\r\n\r\ncat > ca-csr.json <<EOF\r\n{\r\n  \"CN\": \"Kubernetes\",\r\n  \"key\": {\r\n    \"algo\": \"rsa\",\r\n    \"size\": 2048\r\n  },\r\n  \"names\": [\r\n    {\r\n      \"C\": \"US\",\r\n      \"L\": \"Portland\",\r\n      \"O\": \"Kubernetes\",\r\n      \"OU\": \"CA\",\r\n      \"ST\": \"Oregon\"\r\n    }\r\n  ]\r\n}\r\nEOF\r\n\r\ncfssl gencert -initca ca-csr.json | cfssljson -bare ca\r\n<\/code><\/pre>\n
\u4ea7\u7269<\/p>\n
ca-key.pem\r\nca.pem\r\n<\/code><\/pre>\n
\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u7684\u8bc1\u4e66\u9881\u53d1<\/h2>\n
\u5728\u6b64\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u4e3a\u6bcf\u4e2aKubernetes\u7ec4\u4ef6\u751f\u6210\u7528\u4e8e\u5ba2\u6237\u7aef\u8ba4\u8bc1\u548c\u670d\u52a1\u5668\u8ba4\u8bc1\u7684\u8bc1\u4e66\uff0c\u4ee5\u53ca\u7528\u4e8eKubernetes\u7ba1\u7406\u5458\u7528\u6237\u7684\u5ba2\u6237\u7aef\u8bc1\u4e66\u3002<\/p>\n
\u7ba1\u7406\u54e1\u7528\u7684\u5ba2\u6236\u7aef\u8b49\u66f8<\/h3>\n
\u9996\u5148\uff0c\u751f\u6210\u7ba1\u7406\u5458\u7528\u7684\u5ba2\u6237\u7aef\u8bc1\u4e66\u548c\u79c1\u94a5\u3002<\/p>\n
cat > admin-csr.json <<EOF\r\n{\r\n  \"CN\": \"admin\",\r\n  \"key\": {\r\n    \"algo\": \"rsa\",\r\n    \"size\": 2048\r\n  },\r\n  \"names\": [\r\n    {\r\n      \"C\": \"US\",\r\n      \"L\": \"Portland\",\r\n      \"O\": \"system:masters\",\r\n      \"OU\": \"Kubernetes The Hard Way\",\r\n      \"ST\": \"Oregon\"\r\n    }\r\n  ]\r\n}\r\nEOF\r\n\r\ncfssl gencert \\\r\n  -ca=ca.pem \\\r\n  -ca-key=ca-key.pem \\\r\n  -config=ca-config.json \\\r\n  -profile=kubernetes \\\r\n  admin-csr.json | cfssljson -bare admin\r\n<\/code><\/pre>\n
\u4ea7\u751f\u4e4b\u7269<\/p>\n
admin-key.pem\r\nadmin.pem\r\n<\/code><\/pre>\n
Kubelet\u7684\u5ba2\u6237\u7aef\u8bc1\u4e66<\/h3>\n
Kubernetes\u5229\u7528\u7279\u6b8a\u7528\u9014\u7684\u8ba4\u8bc1\u6a21\u5f0f\u79f0\u4e3aNode Authorizer\u3002<\/p>\n
\u8fd9\u5c06\u4e13\u95e8\u5bf9\u6765\u81eaKubelets\u7684API\u8bf7\u6c42\u8fdb\u884c\u8ba4\u8bc1\u3002<\/p>\n
\u4e3a\u4e86\u5bf9Node Authorizer\u8fdb\u884c\u6388\u6743\uff0cKubelet\u9700\u8981\u521b\u5efa\u4e00\u4e2a\u8bc1\u4e66\uff0c\u8be5\u8bc1\u4e66\u9700\u8981\u4f7f\u7528”system:node:”\u4f5c\u4e3a\u7528\u6237\u540d\uff0c\u5e76\u5728”system:nodes”\u7ec4\u4e2d\u8fdb\u884c\u8ba4\u8bc1\u3002<\/p>\n
\u5728\u6b64\u6b65\u9aa4\u4e2d\uff0c\u5c06\u4e3a\u6bcf\u4e2aKubernetes\u5de5\u4f5c\u8282\u70b9\u9881\u53d1\u6ee1\u8db3\u8282\u70b9\u6388\u6743\u8005\u8981\u6c42\u7684\u8bc1\u4e66\u548c\u5bc6\u94a5\u3002<\/p>\n
for i in 0 1 2; do\r\n  instance=\"worker-${i}\"\r\n  instance_hostname=\"ip-10-240-0-2${i}\"\r\n  cat > ${instance}-csr.json <<EOF\r\n{\r\n  \"CN\": \"system:node:${instance_hostname}\",\r\n  \"key\": {\r\n    \"algo\": \"rsa\",\r\n    \"size\": 2048\r\n  },\r\n  \"names\": [\r\n    {\r\n      \"C\": \"US\",\r\n      \"L\": \"Portland\",\r\n      \"O\": \"system:nodes\",\r\n      \"OU\": \"Kubernetes The Hard Way\",\r\n      \"ST\": \"Oregon\"\r\n    }\r\n  ]\r\n}\r\nEOF\r\n\r\n  external_ip=$(aws ec2 describe-instances \\\r\n    --filters \"Name=tag:Name,Values=${instance}\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n\r\n  internal_ip=$(aws ec2 describe-instances \\\r\n    --filters \"Name=tag:Name,Values=${instance}\" \\\r\n    --output text --query 'Reservations[].Instances[].PrivateIpAddress')\r\n\r\n  cfssl gencert \\\r\n    -ca=ca.pem \\\r\n    -ca-key=ca-key.pem \\\r\n    -config=ca-config.json \\\r\n    -hostname=${instance_hostname},${external_ip},${internal_ip} \\\r\n    -profile=kubernetes \\\r\n    worker-${i}-csr.json | cfssljson -bare worker-${i}\r\ndone\r\n<\/code><\/pre>\n
\u4ea7\u7269<\/p>\n
worker-0-key.pem\r\nworker-0.pem\r\nworker-1-key.pem\r\nworker-1.pem\r\nworker-2-key.pem\r\nworker-2.pem\r\n<\/code><\/pre>\n
kube-controller-manager\u5ba2\u6237\u7aef\u8bc1\u4e66<\/h3>\n
kube-controller-manager\u53d1\u884c\u5ba2\u6237\u7aef\u7684\u8bc1\u4e66\u548c\u79c1\u94a5\u3002<\/p>\n
cat > kube-controller-manager-csr.json <<EOF\r\n{\r\n  \"CN\": \"system:kube-controller-manager\",\r\n  \"key\": {\r\n    \"algo\": \"rsa\",\r\n    \"size\": 2048\r\n  },\r\n  \"names\": [\r\n    {\r\n      \"C\": \"US\",\r\n      \"L\": \"Portland\",\r\n      \"O\": \"system:kube-controller-manager\",\r\n      \"OU\": \"Kubernetes The Hard Way\",\r\n      \"ST\": \"Oregon\"\r\n    }\r\n  ]\r\n}\r\nEOF\r\n\r\ncfssl gencert \\\r\n  -ca=ca.pem \\\r\n  -ca-key=ca-key.pem \\\r\n  -config=ca-config.json \\\r\n  -profile=kubernetes \\\r\n  kube-controller-manager-csr.json | cfssljson -bare kube-controller-manager\r\n<\/code><\/pre>\n
\u4ea7\u7269<\/p>\n
kube-controller-manager-key.pem\r\nkube-controller-manager.pem\r\n<\/code><\/pre>\n
kube-proxy\u5ba2\u6237\u7aef\u7684\u8bc1\u4e66<\/h3>\n
\u4e3akube-proxy\u5ba2\u6237\u7aef\u751f\u6210\u8bc1\u4e66\u548c\u79c1\u94a5\u3002<\/p>\n
cat > kube-proxy-csr.json <<EOF\r\n{\r\n  \"CN\": \"system:kube-proxy\",\r\n  \"key\": {\r\n    \"algo\": \"rsa\",\r\n    \"size\": 2048\r\n  },\r\n  \"names\": [\r\n    {\r\n      \"C\": \"US\",\r\n      \"L\": \"Portland\",\r\n      \"O\": \"system:node-proxier\",\r\n      \"OU\": \"Kubernetes The Hard Way\",\r\n      \"ST\": \"Oregon\"\r\n    }\r\n  ]\r\n}\r\nEOF\r\n\r\ncfssl gencert \\\r\n  -ca=ca.pem \\\r\n  -ca-key=ca-key.pem \\\r\n  -config=ca-config.json \\\r\n  -profile=kubernetes \\\r\n  kube-proxy-csr.json | cfssljson -bare kube-proxy\r\n<\/code><\/pre>\n
\u4ea7\u7269<\/p>\n
kube-proxy-key.pem\r\nkube-proxy.pem\r\n<\/code><\/pre>\n
kube-scheduler\u7684\u5ba2\u6237\u7aef\u8bc1\u4e66<\/h3>\n
\u751f\u6210\u7528\u4e8e kube-scheduler \u5ba2\u6237\u7aef\u7684\u8bc1\u4e66\u548c\u79c1\u94a5\u3002<\/p>\n
cat > kube-scheduler-csr.json <<EOF\r\n{\r\n  \"CN\": \"system:kube-scheduler\",\r\n  \"key\": {\r\n    \"algo\": \"rsa\",\r\n    \"size\": 2048\r\n  },\r\n  \"names\": [\r\n    {\r\n      \"C\": \"US\",\r\n      \"L\": \"Portland\",\r\n      \"O\": \"system:kube-scheduler\",\r\n      \"OU\": \"Kubernetes The Hard Way\",\r\n      \"ST\": \"Oregon\"\r\n    }\r\n  ]\r\n}\r\nEOF\r\n\r\ncfssl gencert \\\r\n  -ca=ca.pem \\\r\n  -ca-key=ca-key.pem \\\r\n  -config=ca-config.json \\\r\n  -profile=kubernetes \\\r\n  kube-scheduler-csr.json | cfssljson -bare kube-scheduler\r\n\r\n<\/code><\/pre>\n
\u4ea7\u751f\u7684\u4e1c\u897f<\/p>\n
kube-scheduler-key.pem\r\nkube-scheduler.pem\r\n<\/code><\/pre>\n
Kubernetes API\u670d\u52a1\u5668\u6240\u9700\u7684\u8bc1\u4e66<\/h3>\n
\u5728Kubernetes\u7684\u201cthe hard way\u201d\u4e2d\uff0c\u9700\u8981\u5c06static IP\u5730\u5740\u6dfb\u52a0\u5230Kubernetes API\u670d\u52a1\u5668\u8bc1\u4e66\u7684SAN\uff08\u4e3b\u9898\u5907\u7528\u540d\u79f0\uff09\u5217\u8868\u4e2d\u3002<\/p>\n
\u901a\u8fc7\u8fd9\u4e2a\u65b9\u6cd5\uff0c\u5916\u90e8\u5ba2\u6237\u4e5f\u53ef\u4ee5\u8fdb\u884c\u8bc1\u4e66\u9a8c\u8bc1\u3002<\/p>\n
\u751f\u6210Kubernetes API\u670d\u52a1\u5668\u7684\u8bc1\u4e66\u548c\u5bc6\u94a5\u3002<\/p>\n
cat > kubernetes-csr.json <<EOF\r\n{\r\n  \"CN\": \"kubernetes\",\r\n  \"key\": {\r\n    \"algo\": \"rsa\",\r\n    \"size\": 2048\r\n  },\r\n  \"names\": [\r\n    {\r\n      \"C\": \"US\",\r\n      \"L\": \"Portland\",\r\n      \"O\": \"Kubernetes\",\r\n      \"OU\": \"Kubernetes The Hard Way\",\r\n      \"ST\": \"Oregon\"\r\n    }\r\n  ]\r\n}\r\nEOF\r\n\r\ncfssl gencert \\\r\n  -ca=ca.pem \\\r\n  -ca-key=ca-key.pem \\\r\n  -config=ca-config.json \\\r\n  -hostname=10.32.0.1,10.240.0.10,10.240.0.11,10.240.0.12,${KUBERNETES_PUBLIC_ADDRESS},127.0.0.1,kubernetes.default \\\r\n  -profile=kubernetes \\\r\n  kubernetes-csr.json | cfssljson -bare kubernetes\r\n<\/code><\/pre>\n
\u4ea7\u7269<\/p>\n
kubernetes-key.pem\r\nkubernetes.pem\r\n<\/code><\/pre>\n
\u670d\u52a1\u5e10\u6237\u7684\u5bc6\u94a5\u5bf9<\/h2>\n
\u6839\u636e\u670d\u52a1\u8d26\u6237\u7ba1\u7406\u6587\u6863\uff0cKubernetes\u63a7\u5236\u5668\u7ba1\u7406\u5668\u4f7f\u7528\u5bc6\u94a5\u5bf9\u6765\u751f\u6210\u548c\u7b7e\u540d\u670d\u52a1\u8d26\u6237\u7684\u4ee4\u724c\u3002<\/p>\n
\u53d1\u884c\u670d\u52a1\u5e10\u6237\u7684\u8bc1\u4e66\u548c\u5bc6\u94a5\u3002<\/p>\n
cat > service-account-csr.json <<EOF\r\n{\r\n  \"CN\": \"service-accounts\",\r\n  \"key\": {\r\n    \"algo\": \"rsa\",\r\n    \"size\": 2048\r\n  },\r\n  \"names\": [\r\n    {\r\n      \"C\": \"US\",\r\n      \"L\": \"Portland\",\r\n      \"O\": \"Kubernetes\",\r\n      \"OU\": \"Kubernetes The Hard Way\",\r\n      \"ST\": \"Oregon\"\r\n    }\r\n  ]\r\n}\r\nEOF\r\n\r\ncfssl gencert \\\r\n  -ca=ca.pem \\\r\n  -ca-key=ca-key.pem \\\r\n  -config=ca-config.json \\\r\n  -profile=kubernetes \\\r\n  service-account-csr.json | cfssljson -bare service-account\r\n\r\n<\/code><\/pre>\n
\u751f\u6210\u7269 – \u4ea7\u54c1\u6216\u4ea7\u7269<\/p>\n
service-account-key.pem\r\nservice-account.pem\r\n<\/code><\/pre>\n
\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u8bc1\u4e66\u7684\u90e8\u7f72<\/h2>\n
\u5c06\u8bc1\u4e66\u548c\u79d8\u94a5\u590d\u5236\uff0c\u5e76\u90e8\u7f72\u5230\u6bcf\u4e2a\u5de5\u4f5c\u5b9e\u4f8b\u4e0a\u3002
\n\uff08\u90e8\u7f72\u5185\u5bb9\uff1aCA\u8bc1\u4e66\u3001API\u670d\u52a1\u5668\u8bc1\u4e66\u3001\u5de5\u4f5c\u8282\u70b9\u8bc1\u4e66\u548c\u79d8\u94a5\uff09<\/p>\n
for instance in worker-0 worker-1 worker-2; do\r\n  external_ip=$(aws ec2 describe-instances \\\r\n    --filters \"Name=tag:Name,Values=${instance}\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n\r\n  scp -i kubernetes.id_rsa ca.pem ${instance}-key.pem ${instance}.pem ubuntu@${external_ip}:~\/\r\ndone\r\n<\/code><\/pre>\n
\u5c06\u8bc1\u4e66\u9881\u53d1\u673a\u6784\uff08CA\uff09\u7684\u8bc1\u4e66\u3001API\u670d\u52a1\u5668\u7684\u8bc1\u4e66\u548c\u79c1\u94a5\u3001\u4ee5\u53ca\u7528\u4e8e\u751f\u6210\u670d\u52a1\u5e10\u6237\u7684\u5bc6\u94a5\u5bf9\u540c\u6837\u653e\u7f6e\u5728\u63a7\u5236\u5668\u5b9e\u4f8b\u4e0a\u3002<\/p>\n
for instance in controller-0 controller-1 controller-2; do\r\n  external_ip=$(aws ec2 describe-instances \\\r\n    --filters \"Name=tag:Name,Values=${instance}\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n\r\n  scp -i kubernetes.id_rsa \\\r\n    ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \\\r\n    service-account-key.pem service-account.pem ubuntu@${external_ip}:~\/\r\ndone\r\n<\/code><\/pre>\n
kube-proxy\u3001kube-controller-manager\u3001kube-scheduler\u3001kubelet \u8fd9\u4e9b\u5ba2\u6237\u7aef\u8bc1\u4e66\u662f\u7528\u4e8e\u751f\u6210\u5ba2\u6237\u7aef\u8ba4\u8bc1\u914d\u7f6e\u6587\u4ef6\u7684\u4ee5\u4e0b\u6b65\u9aa4\u3002<\/p><\/blockquote>\n
05-\u751f\u6210\u7528\u4e8e\u8ba4\u8bc1\u7684kubeconfig\u6587\u4ef6\u3002<\/h1>\n
\u5728\u8be5\u6b65\u9aa4\u4e2d\uff0cKubernetes API\u670d\u52a1\u5668\u4f1a\u751f\u6210kubeconfigs\uff08Kubernetes\u914d\u7f6e\u6587\u4ef6\uff09\uff0c\u4ee5\u4fbf\u914d\u7f6e\u548c\u8ba4\u8bc1Kubernetes\u5ba2\u6237\u7aef\u3002<\/p>\n
\u5ba2\u6237\u8ba4\u8bc1\u8bbe\u7f6e<\/h2>\n
\u9996\u5148\uff0c\u751f\u6210conttoller-manager\u3001kubelet\u3001kube-proxy\u3001scheduler\u4ee5\u53ca\u7ba1\u7406\u5458\u7528\u6237\u7684kubeconfig\u6587\u4ef6\u3002<\/p>\n
Kubernetes\u7684\u516c\u5171DNS\u5730\u5740 (Kubernetes de DNS<\/h3>\n
\u4e3a\u4e86\u5b9e\u73b0\u9ad8\u53ef\u7528\u6027\uff0c\u6bcf\u4e2akubeconfig\u5fc5\u987b\u80fd\u591f\u8fde\u63a5\u5230Kubernetes API\u670d\u52a1\u5668\u3002
\n\u4e3a\u6b64\uff0c\u4f7f\u7528\u5728Kubernetes API\u670d\u52a1\u5668\u4e4b\u524d\u8bbe\u7f6e\u7684\u5916\u90e8\u8d1f\u8f7d\u5747\u8861\u5668\u7684IP\u5730\u5740\u3002<\/p>\n
\u83b7\u53d6\u5e76\u8bbe\u7f6ekubernetes-the-hard-way\u7684DNS\u5730\u5740\u3002<\/p>\n
KUBERNETES_PUBLIC_ADDRESS=$(aws elbv2 describe-load-balancers \\\r\n  --load-balancer-arns ${LOAD_BALANCER_ARN} \\\r\n  --output text --query 'LoadBalancers[0].DNSName')\r\n<\/code><\/pre>\n
\u751f\u6210kubelet\u7684kubeconfigs<\/h3>\n
\u5f53\u751f\u6210kubelet\u7684kubeconfig\u6587\u4ef6\u65f6\uff0c\u9700\u8981\u4f7f\u7528\u4e0ekubelet\u8282\u70b9\u540d\u79f0\u76f8\u540c\u7684\u5ba2\u6237\u7aef\u8bc1\u4e66\u3002
\n\u8fd9\u5c06\u4f7f\u5f97kubelet\u80fd\u591f\u88abKubernetes\u7684\u8282\u70b9\u6388\u6743\u5668\u6240\u8ba4\u53ef\u3002<\/p>\n
\u4e3a\u6bcf\u4e2a\u5de5\u4f5c\u8282\u70b9\u751f\u6210kubeconfig\u3002<\/p>\n
for instance in worker-0 worker-1 worker-2; do\r\n  kubectl config set-cluster kubernetes-the-hard-way \\\r\n    --certificate-authority=ca.pem \\\r\n    --embed-certs=true \\\r\n    --server=https:\/\/${KUBERNETES_PUBLIC_ADDRESS}:443 \\\r\n    --kubeconfig=${instance}.kubeconfig\r\n\r\n  kubectl config set-credentials system:node:${instance} \\\r\n    --client-certificate=${instance}.pem \\\r\n    --client-key=${instance}-key.pem \\\r\n    --embed-certs=true \\\r\n    --kubeconfig=${instance}.kubeconfig\r\n\r\n  kubectl config set-context default \\\r\n    --cluster=kubernetes-the-hard-way \\\r\n    --user=system:node:${instance} \\\r\n    --kubeconfig=${instance}.kubeconfig\r\n\r\n  kubectl config use-context default --kubeconfig=${instance}.kubeconfig\r\ndone\r\n<\/code><\/pre>\n
\u4ea7\u751f\u7684\u7269\u8d28<\/p>\n
worker-0.kubeconfig\r\nworker-1.kubeconfig\r\nworker-2.kubeconfig\r\n<\/code><\/pre>\n
\u751f\u6210kube-proxy\u7684kubeconfig\u6587\u4ef6\u3002<\/h3>\n
\u4e5f\u4f1a\u751f\u6210kube-proxy\u7684kubeconfig\u3002<\/p>\n
kubectl config set-cluster kubernetes-the-hard-way \\\r\n  --certificate-authority=ca.pem \\\r\n  --embed-certs=true \\\r\n  --server=https:\/\/${KUBERNETES_PUBLIC_ADDRESS}:443 \\\r\n  --kubeconfig=kube-proxy.kubeconfig\r\n\r\nkubectl config set-credentials system:kube-proxy \\\r\n  --client-certificate=kube-proxy.pem \\\r\n  --client-key=kube-proxy-key.pem \\\r\n  --embed-certs=true \\\r\n  --kubeconfig=kube-proxy.kubeconfig\r\n\r\nkubectl config set-context default \\\r\n  --cluster=kubernetes-the-hard-way \\\r\n  --user=system:kube-proxy \\\r\n  --kubeconfig=kube-proxy.kubeconfig\r\n\r\nkubectl config use-context default --kubeconfig=kube-proxy.kubeconfig\r\n<\/code><\/pre>\n
\u4ea7\u7269<\/p>\n
kube-proxy.kubeconfig\r\n<\/code><\/pre>\n
kube-controller-manager\u7684kubeconfig<\/h3>\n
\u751f\u6210 kube-controller-manager \u7684 kubeconfig\u3002<\/p>\n
kubectl config set-cluster kubernetes-the-hard-way \\\r\n  --certificate-authority=ca.pem \\\r\n  --embed-certs=true \\\r\n  --server=https:\/\/127.0.0.1:6443 \\\r\n  --kubeconfig=kube-controller-manager.kubeconfig\r\n\r\nkubectl config set-credentials system:kube-controller-manager \\\r\n  --client-certificate=kube-controller-manager.pem \\\r\n  --client-key=kube-controller-manager-key.pem \\\r\n  --embed-certs=true \\\r\n  --kubeconfig=kube-controller-manager.kubeconfig\r\n\r\nkubectl config set-context default \\\r\n  --cluster=kubernetes-the-hard-way \\\r\n  --user=system:kube-controller-manager \\\r\n  --kubeconfig=kube-controller-manager.kubeconfig\r\n\r\nkubectl config use-context default --kubeconfig=kube-controller-manager.kubeconfig\r\n<\/code><\/pre>\n
\u4ea7\u7269<\/p>\n
kube-controller-manager.kubeconfig\r\n<\/code><\/pre>\n
kube-scheduler\u7684kubeconfig<\/h3>\n
\u751f\u6210kube-scheduler\u7684kubeconfig\u6587\u4ef6\u3002<\/p>\n
kubectl config set-cluster kubernetes-the-hard-way \\\r\n  --certificate-authority=ca.pem \\\r\n  --embed-certs=true \\\r\n  --server=https:\/\/127.0.0.1:6443 \\\r\n  --kubeconfig=kube-scheduler.kubeconfig\r\n\r\nkubectl config set-credentials system:kube-scheduler \\\r\n  --client-certificate=kube-scheduler.pem \\\r\n  --client-key=kube-scheduler-key.pem \\\r\n  --embed-certs=true \\\r\n  --kubeconfig=kube-scheduler.kubeconfig\r\n\r\nkubectl config set-context default \\\r\n  --cluster=kubernetes-the-hard-way \\\r\n  --user=system:kube-scheduler \\\r\n  --kubeconfig=kube-scheduler.kubeconfig\r\n\r\nkubectl config use-context default --kubeconfig=kube-scheduler.kubeconfig\r\n<\/code><\/pre>\n
\u4ea7\u7269<\/p>\n
kube-scheduler.kubeconfig\r\n<\/code><\/pre>\n
\u7ba1\u7406\u5458\u7528\u6237\u7684kubeconfig<\/h3>\n
\u751f\u6210admin\u7528\u6237\u7684kubeconfig\u3002<\/p>\n
kubectl config set-cluster kubernetes-the-hard-way \\\r\n  --certificate-authority=ca.pem \\\r\n  --embed-certs=true \\\r\n  --server=https:\/\/127.0.0.1:6443 \\\r\n  --kubeconfig=admin.kubeconfig\r\n\r\nkubectl config set-credentials admin \\\r\n  --client-certificate=admin.pem \\\r\n  --client-key=admin-key.pem \\\r\n  --embed-certs=true \\\r\n  --kubeconfig=admin.kubeconfig\r\n\r\nkubectl config set-context default \\\r\n  --cluster=kubernetes-the-hard-way \\\r\n  --user=admin \\\r\n  --kubeconfig=admin.kubeconfig\r\n\r\nkubectl config use-context default --kubeconfig=admin.kubeconfig\r\n<\/code><\/pre>\n
\u4ea7\u751f\u7684\u4e1c\u897f<\/p>\n
admin.kubeconfig\r\n<\/code><\/pre>\n
\u5c06kubeconfig\u6587\u4ef6\u5206\u53d1<\/h2>\n
\u5c06kubelet\u548ckube-proxy\u7684kubecnofig\u590d\u5236\u5e76\u653e\u7f6e\u5230\u6bcf\u4e2a\u5de5\u4f5c\u8282\u70b9\u4e0a\u3002<\/p>\n
for instance in worker-0 worker-1 worker-2; do\r\n  external_ip=$(aws ec2 describe-instances \\\r\n    --filters \"Name=tag:Name,Values=${instance}\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n\r\n  scp -i kubernetes.id_rsa \\\r\n    ${instance}.kubeconfig kube-proxy.kubeconfig ubuntu@${external_ip}:~\/\r\ndone\r\n<\/code><\/pre>\n
\u5c06 kube-controller-manager \u548c kube-scheduler \u7684 kubeconfig \u590d\u5236\u5e76\u653e\u7f6e\u5230\u6bcf\u4e2a\u63a7\u5236\u8282\u70b9\u4e0a\u3002<\/p>\n
for instance in controller-0 controller-1 controller-2; do\r\n  external_ip=$(aws ec2 describe-instances \\\r\n    --filters \"Name=tag:Name,Values=${instance}\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n\r\n  scp -i kubernetes.id_rsa \\\r\n    admin.kubeconfig kube-controller-manager.kubeconfig kube-scheduler.kubeconfig ubuntu@${external_ip}:~\/\r\ndone\r\n<\/code><\/pre>\n
06-\u8bbe\u7f6e\u52a0\u5bc6\u548c\u5bc6\u94a5\u751f\u6210\u7684\u8bbe\u5b9a<\/h1>\n
Kubernetes\u5b58\u50a8\u7740\u5305\u62ec\u96c6\u7fa4\u72b6\u6001\u3001\u5e94\u7528\u7a0b\u5e8f\u914d\u7f6e\u3001\u654f\u611f\u4fe1\u606f\u7b49\u5404\u79cd\u6570\u636e\u3002<\/p>\n
Kubernetes\u63d0\u4f9b\u4e86\u5728\u96c6\u7fa4\u4e2d\u52a0\u5bc6\u5b58\u50a8\u6570\u636e\u7684\u529f\u80fd\u3002<\/p>\n
\u5728\u8fd9\u4e2a\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u751f\u6210\u4e0eKubernetes Secrets\u52a0\u5bc6\u76f8\u5339\u914d\u7684\u52a0\u5bc6\u5bc6\u94a5\u548c\u52a0\u5bc6\u8bbe\u7f6e\u3002<\/p>\n
\u52a0\u5bc6\u5bc6\u94a5<\/h2>\n
\u751f\u6210\u7528\u4e8e\u52a0\u5bc6\u7684\u5bc6\u94a5\u3002<\/p>\n
ENCRYPTION_KEY=$(head -c 32 \/dev\/urandom | base64)\r\n<\/code><\/pre>\n
\u52a0\u5bc6\u8bbe\u7f6e\u6587\u4ef6<\/h2>\n
\u751f\u6210encryption-config.yaml\u6587\u4ef6\u7528\u4e8e\u8bbe\u7f6e\u52a0\u5bc6\u914d\u7f6e\u3002<\/p>\n
cat > encryption-config.yaml <<EOF\r\nkind: EncryptionConfig\r\napiVersion: v1\r\nresources:\r\n  - resources:\r\n      - secrets\r\n    providers:\r\n      - aescbc:\r\n          keys:\r\n            - name: key1\r\n              secret: ${ENCRYPTION_KEY}\r\n      - identity: {}\r\nEOF\r\n<\/code><\/pre>\n
\u5c06\u6b64encryption-config.yaml\u6587\u4ef6\u590d\u5236\uff0c\u5e76\u653e\u7f6e\u5728\u6bcf\u4e2a\u63a7\u5236\u8282\u70b9\u4e0a\u3002<\/p>\n
\r\nfor <\/span>instance in <\/span>controller-0 controller-1 controller-2;<\/span> do\r\n  <\/span>external_ip<\/span>=<\/span>$(<\/span>aws ec2 describe-instances \\<\/span>\r\n    --filters<\/span> \"Name=tag:Name,Values=<\/span>${<\/span>instance<\/span>}<\/span>\"<\/span> \\<\/span>\r\n    --output<\/span> text --query<\/span> 'Reservations[].Instances[].PublicIpAddress'<\/span>)<\/span>\r\n\r\n  scp -i<\/span> kubernetes.id_rsa encryption-config.yaml ubuntu@${<\/span>external_ip<\/span>}<\/span>:~\/\r\ndone<\/span>\r\n<\/code><\/pre>\n
\u542f\u52a807-etcd<\/h1>\n
Kubernetes\u7684\u6bcf\u4e2a\u7ec4\u4ef6\u90fd\u662f\u65e0\u72b6\u6001\u7684\uff0c\u96c6\u7fa4\u7684\u72b6\u6001\u5b58\u50a8\u548c\u7ba1\u7406\u5728etcd\u4e2d\u3002\uff08\u4e5f\u5c31\u662f\u8bf4etcd\u975e\u5e38\u91cd\u8981\uff09<\/p>\n
\u5728\u8fd9\u4e2a\u8fc7\u7a0b\u4e2d\uff0c\u6211\u4eec\u5c06\u6784\u5efa\u4e00\u4e2a\u75313\u4e2a\u8282\u70b9\u7ec4\u6210\u7684etcd\u96c6\u7fa4\uff0c\u4ee5\u5b9e\u73b0\u9ad8\u53ef\u7528\u6027\u548c\u5b89\u5168\u7684\u5916\u90e8\u8bbf\u95ee\u3002<\/p>\n
\u51c6\u5907<\/h2>\n
\u5728controller-0\u3001controller-1\u548ccontroller-2\u7684\u6bcf\u4e2a\u63a7\u5236\u5668\u5b9e\u4f8b\u4e0a\uff0c\u9700\u8981\u6267\u884c\u8be5\u6b65\u9aa4\u7684\u547d\u4ee4\u3002<\/p>\n
\u8bf7\u4f7f\u7528SSH\u547d\u4ee4\u767b\u5f55\u6240\u6709\u63a7\u5236\u5668\u8282\u70b9\uff0c\u6309\u4ee5\u4e0b\u6b65\u9aa4\u64cd\u4f5c\u3002<\/p>\n
for instance in controller-0 controller-1 controller-2; do\r\n  external_ip=$(aws ec2 describe-instances \\\r\n    --filters \"Name=tag:Name,Values=${instance}\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n\r\n  echo ssh -i kubernetes.id_rsa ubuntu@$external_ip\r\ndone\r\n<\/code><\/pre>\n
\u4ee5\u4e0b\u662f\u4ece\u8fd9\u91cc\u5f00\u59cb\u7684\u6b65\u9aa4\uff0c\u9700\u8981\u901a\u8fc7\u524d\u9762\u7684\u547d\u4ee4\u8f93\u51fa\u7684\u6bcf\u4e2aIP\u5730\u5740\u8fdb\u884cssh\u8fde\u63a5\u3002
\n\uff08\u4e5f\u5c31\u662f\u8bf4\uff0c\u5728\u6240\u6709\u4e09\u4e2a\u5b9e\u4f8b\u4e0a\u90fd\u9700\u8981\u6267\u884c\u76f8\u540c\u7684\u547d\u4ee4\uff09<\/p>\n
\u4f7f\u7528tmux\u5e76\u884c\u8fd0\u884c\u547d\u4ee4\u3002<\/h3>\n
\u5982\u679c\u4f7f\u7528tmux\uff0c\u5c31\u80fd\u591f\u8f7b\u677e\u5730\u5728\u591a\u4e2a\u5b9e\u4f8b\u4e2d\u540c\u65f6\u6267\u884c\u547d\u4ee4\u3002\u8bf7\u67e5\u770b\u8fd9\u91cc\u3002<\/p>\n
etcd\u96c6\u7fa4\u6210\u5458\u7684\u542f\u52a8<\/h2>\n
\u8bf7\u6ce8\u610f\uff0c\u4ee5\u4e0b\u6b65\u9aa4\u9700\u8981\u5728\u6bcf\u4e2a\u63a7\u5236\u5668\u5b9e\u4f8b\u4e2d\u6267\u884c\u3002<\/p>\n
\u4e0b\u8f7d\u548c\u5b89\u88c5etcd\u3002<\/h3>\n
\u4eceGitHub\u4e0a\u4e0b\u8f7detcd\u7684\u4e8c\u8fdb\u5236\u6587\u4ef6\u3002<\/p>\n
wget -q --show-progress --https-only --timestamping \\\r\n  \"https:\/\/github.com\/etcd-io\/etcd\/releases\/download\/v3.3.10\/etcd-v3.3.10-linux-amd64.tar.gz\"\r\n<\/code><\/pre>\n
\u89e3\u538b\u4eceDL\u4e0b\u8f7d\u7684\u6587\u4ef6\uff0c\u63d0\u53d6etcd\u670d\u52a1\u5668\u548cetcdctl\u547d\u4ee4\u884c\u5de5\u5177\u3002<\/p>\n
tar -xvf etcd-v3.3.10-linux-amd64.tar.gz\r\nsudo mv etcd-v3.3.10-linux-amd64\/etcd* \/usr\/local\/bin\/\r\n<\/code><\/pre>\n
etcd\u670d\u52a1\u5668\u7684\u914d\u7f6e<\/h3>\n
sudo mkdir -p \/etc\/etcd \/var\/lib\/etcd\r\nsudo cp ca.pem kubernetes-key.pem kubernetes.pem \/etc\/etcd\/\r\n<\/code><\/pre>\n
\u5b9e\u4f8b\u7684\u5185\u90e8IP\u5730\u5740\u7528\u4e8e\u63a5\u6536\u5ba2\u6237\u7aef\u8bf7\u6c42\u5e76\u5728etcd\u96c6\u7fa4\u4e4b\u95f4\u8fdb\u884c\u901a\u4fe1\u3002<\/p>\n
\u83b7\u53d6\u5f53\u524dEC2\u5b9e\u4f8b\u7684\u5185\u90e8IP\u5730\u5740\u3002<\/p>\n
INTERNAL_IP=$(curl -s http:\/\/169.254.169.254\/latest\/meta-data\/local-ipv4)\r\n<\/code><\/pre>\n
\u6bcf\u4e2aetcd\u6210\u5458\u5728etcd\u96c6\u7fa4\u4e2d\u5fc5\u987b\u5177\u6709\u552f\u4e00\u7684\u540d\u79f0\u3002\u56e0\u6b64\uff0c\u6211\u4eec\u5c06\u5f53\u524d\u6b63\u5728\u4f7f\u7528\u7684EC2\u5b9e\u4f8b\u7684\u4e3b\u673a\u540d\u8bbe\u7f6e\u4e3aetcd\u7684\u540d\u79f0\u3002<\/p>\n
ETCD_NAME=$(curl -s http:\/\/169.254.169.254\/latest\/user-data\/ \\\r\n  | tr \"|\" \"\\n\" | grep \"^name\" | cut -d\"=\" -f2)\r\necho \"${ETCD_NAME}\"\r\n<\/code><\/pre>\n
\u521b\u5efasystemd\u7684unit\u6587\u4ef6\uff0c\u5c06\u5176\u547d\u540d\u4e3aetcd.service\u3002<\/p>\n
cat <<EOF | sudo tee \/etc\/systemd\/system\/etcd.service\r\n[Unit]\r\nDescription=etcd\r\nDocumentation=https:\/\/github.com\/coreos\r\n\r\n[Service]\r\nExecStart=\/usr\/local\/bin\/etcd \\\\\r\n  --name ${ETCD_NAME} \\\\\r\n  --cert-file=\/etc\/etcd\/kubernetes.pem \\\\\r\n  --key-file=\/etc\/etcd\/kubernetes-key.pem \\\\\r\n  --peer-cert-file=\/etc\/etcd\/kubernetes.pem \\\\\r\n  --peer-key-file=\/etc\/etcd\/kubernetes-key.pem \\\\\r\n  --trusted-ca-file=\/etc\/etcd\/ca.pem \\\\\r\n  --peer-trusted-ca-file=\/etc\/etcd\/ca.pem \\\\\r\n  --peer-client-cert-auth \\\\\r\n  --client-cert-auth \\\\\r\n  --initial-advertise-peer-urls https:\/\/${INTERNAL_IP}:2380 \\\\\r\n  --listen-peer-urls https:\/\/${INTERNAL_IP}:2380 \\\\\r\n  --listen-client-urls https:\/\/${INTERNAL_IP}:2379,https:\/\/127.0.0.1:2379 \\\\\r\n  --advertise-client-urls https:\/\/${INTERNAL_IP}:2379 \\\\\r\n  --initial-cluster-token etcd-cluster-0 \\\\\r\n  --initial-cluster controller-0=https:\/\/10.240.0.10:2380,controller-1=https:\/\/10.240.0.11:2380,controller-2=https:\/\/10.240.0.12:2380 \\\\\r\n  --initial-cluster-state new \\\\\r\n  --data-dir=\/var\/lib\/etcd\r\nRestart=on-failure\r\nRestartSec=5\r\n\r\n[Install]\r\nWantedBy=multi-user.target\r\nEOF\r\n<\/code><\/pre>\n
\u542f\u52a8etcd\u670d\u52a1\u5668<\/h3>\n
sudo systemctl daemon-reload\r\nsudo systemctl enable etcd\r\nsudo systemctl start etcd\r\n<\/code><\/pre>\n
\u8bf7\u5c06\u4e4b\u524d\u6240\u8ff0\u7684\u5185\u5bb9\u7528\u6bcf\u4e2a\u63a7\u5236\u5668\u8282\u70b9controller-0\u3001controller-1\u3001controller-2\u6765\u6267\u884c\u3002<\/p><\/blockquote>\n
\u786e\u5b9a<\/h2>\n
\u6211\u4f1a\u68c0\u67e5etcd\u96c6\u7fa4\u3002<\/p>\n
sudo ETCDCTL_API=3 etcdctl member list \\\r\n  --endpoints=https:\/\/127.0.0.1:2379 \\\r\n  --cacert=\/etc\/etcd\/ca.pem \\\r\n  --cert=\/etc\/etcd\/kubernetes.pem \\\r\n  --key=\/etc\/etcd\/kubernetes-key.pem\r\n<\/code><\/pre>\n
\u51fa\u529b\u6837\u4f8b<\/p>\n
3a57933972cb5131, started, controller-2, https:\/\/10.240.0.12:2380, https:\/\/10.240.0.12:2379\r\nf98dc20bce6225a0, started, controller-0, https:\/\/10.240.0.10:2380, https:\/\/10.240.0.10:2379\r\nffed16798470cab5, started, controller-1, https:\/\/10.240.0.11:2380, https:\/\/10.240.0.11:2379\r\n<\/code><\/pre>\n
08-\u542f\u52a8Kubernetes\u63a7\u5236\u9762\u677f<\/h1>\n
\u5728\u8fd9\u4e2a\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u4f7f\u7528\u4e09\u4e2a\u5b9e\u4f8b\u6765\u521b\u5efa\u9ad8\u53ef\u7528\u7684Kubernetes\u63a7\u5236\u5e73\u9762\u3002<\/p>\n
\u53e6\u5916\uff0c\u8fd8\u9700\u8981\u521b\u5efa\u5916\u90e8\u8d1f\u8f7d\u5747\u8861\u5668\u6765\u5c06Kubernetes API\u670d\u52a1\u5668\u516c\u5f00\u7ed9\u5916\u90e8\u5ba2\u6237\u7aef\u3002<\/p>\n
\u5728\u6bcf\u4e2a\u8282\u70b9\u4e0a\u5b89\u88c5Kubernetes API Server\u3001Scheduler\u548cController Manager\u7ec4\u4ef6\u3002<\/p>\n
\u5148\u51b3\u6761\u4ef6<\/h2>\n
\u5728\u8fd9\u4e00\u6b65\u4e2d\uff0c\u9700\u8981\u5728controller-0\u3001controller-1\u548ccontroller-2\u7684\u6bcf\u4e2a\u63a7\u5236\u7ebf\u5b9e\u4f8b\u4e0a\u6267\u884c\u4e0e\u524d\u4e00\u6b65\u76f8\u540c\u7684\u64cd\u4f5c\u3002<\/p>\n
\u5728\u6bcf\u4e2a\u63a7\u5236\u8282\u70b9\u4e0a\u4f7f\u7528ssh\u547d\u4ee4\u767b\u5f55\u5e76\u6267\u884c\u6307\u4ee4\u3002<\/p>\n
\u5982\u679c\u60a8\u5df2\u7ecf\u767b\u5f55\u5230\u6bcf\u4e2a\u63a7\u5236\u8282\u70b9\u4e0a\uff0c\u8bf7\u8df3\u5230\u4e0b\u4e00\u6b65\u7684\u201cKubernetes\u63a7\u5236\u5e73\u9762\u7684\u914d\u7f6e\u201d\u90e8\u5206\u3002<\/p>\n
for instance in controller-0 controller-1 controller-2; do\r\n  external_ip=$(aws ec2 describe-instances \\\r\n    --filters \"Name=tag:Name,Values=${instance}\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n\r\n  echo ssh -i kubernetes.id_rsa ubuntu@$external_ip\r\ndone\r\n<\/code><\/pre>\n
\u4ece\u8fd9\u91cc\u5f00\u59cb\uff0c\u9700\u8981\u6309\u7167\u524d\u4e00\u4e2a\u547d\u4ee4\u8f93\u51fa\u7684\u6bcf\u4e2aIP\u5730\u5740\u8fdb\u884cssh\u8fde\u63a5\u3002
\n\uff08\u4e5f\u5c31\u662f\u8bf4\uff0c\u5728\u8fd93\u4e2a\u5b9e\u4f8b\u4e0a\u90fd\u9700\u8981\u6267\u884c\u76f8\u540c\u7684\u547d\u4ee4\u3002\uff09<\/p>\n
\u4f7f\u7528tmux\u540c\u65f6\u8fd0\u884c\u591a\u4e2a\u547d\u4ee4<\/h3>\n
\u4f7f\u7528tmux\uff0c\u60a8\u53ef\u4ee5\u5728\u591a\u4e2a\u5b9e\u4f8b\u4e2d\u8f7b\u677e\u540c\u65f6\u8fd0\u884c\u547d\u4ee4\u3002\u8bf7\u53c2\u9605\u6b64\u94fe\u63a5\u3002<\/p>\n
Kubernetes\u63a7\u5236\u5e73\u9762\u7684\u914d\u7f6e\u751f\u6210<\/h2>\n
\u521b\u5efa\u4e00\u4e2a\u5b58\u653eKubernetes\u914d\u7f6e\u6587\u4ef6\u7684\u76ee\u5f55\u3002<\/p>\n
sudo mkdir -p \/etc\/kubernetes\/config\r\n<\/code><\/pre>\n
Kubernetes\u63a7\u5236\u5668\u7684\u4e8c\u8fdb\u5236\u6587\u4ef6\u7684\u4e0b\u8f7d\u548c\u5b89\u88c5<\/h3>\n
\u4e0b\u8f7dKubernetes\u5b98\u65b9\u7684\u53d1\u884c\u7248\u4e8c\u8fdb\u5236\u6587\u4ef6\u3002<\/p>\n
wget -q --show-progress --https-only --timestamping \\\r\n  \"https:\/\/storage.googleapis.com\/kubernetes-release\/release\/v1.15.3\/bin\/linux\/amd64\/kube-apiserver\" \\\r\n  \"https:\/\/storage.googleapis.com\/kubernetes-release\/release\/v1.15.3\/bin\/linux\/amd64\/kube-controller-manager\" \\\r\n  \"https:\/\/storage.googleapis.com\/kubernetes-release\/release\/v1.15.3\/bin\/linux\/amd64\/kube-scheduler\" \\\r\n  \"https:\/\/storage.googleapis.com\/kubernetes-release\/release\/v1.15.3\/bin\/linux\/amd64\/kubectl\"\r\n<\/code><\/pre>\n
\u5b89\u88c5\u5df2\u4e0b\u8f7d\u7684\u4e8c\u8fdb\u5236\u6587\u4ef6\u3002<\/p>\n
chmod +x kube-apiserver kube-controller-manager kube-scheduler kubectl\r\nsudo mv kube-apiserver kube-controller-manager kube-scheduler kubectl \/usr\/local\/bin\/\r\n<\/code><\/pre>\n
Kubernetes API\u670d\u52a1\u5668\u7684\u914d\u7f6e<\/h3>\n
sudo mkdir -p \/var\/lib\/kubernetes\/\r\n\r\nsudo mv ca.pem ca-key.pem kubernetes-key.pem kubernetes.pem \\\r\n  service-account-key.pem service-account.pem \\\r\n  encryption-config.yaml \/var\/lib\/kubernetes\/\r\n<\/code><\/pre>\n
\u4e3a\u4e86\u5c06API\u670d\u52a1\u5668\u901a\u77e5\u7ed9\u7fa4\u96c6\u6210\u5458\uff0c\u6211\u4eec\u5c06\u4f7f\u7528\u5b9e\u4f8b\u7684\u5185\u90e8IP\u5730\u5740\u4f5c\u4e3a\u8bbe\u7f6e\u3002<\/p>\n
\u83b7\u53d6\u5f53\u524dEC2\u5b9e\u4f8b\u7684\u5185\u90e8IP\u5730\u5740\u3002<\/p>\n
INTERNAL_IP=$(curl -s http:\/\/169.254.169.254\/latest\/meta-data\/local-ipv4)\r\n<\/code><\/pre>\n
\u751f\u6210kube-apiserver.service\u7684systemd\u5355\u4f4d\u6587\u4ef6\u3002<\/p>\n
cat <<EOF | sudo tee \/etc\/systemd\/system\/kube-apiserver.service\r\n[Unit]\r\nDescription=Kubernetes API Server\r\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\r\n\r\n[Service]\r\nExecStart=\/usr\/local\/bin\/kube-apiserver \\\\\r\n  --advertise-address=${INTERNAL_IP} \\\\\r\n  --allow-privileged=true \\\\\r\n  --apiserver-count=3 \\\\\r\n  --audit-log-maxage=30 \\\\\r\n  --audit-log-maxbackup=3 \\\\\r\n  --audit-log-maxsize=100 \\\\\r\n  --audit-log-path=\/var\/log\/audit.log \\\\\r\n  --authorization-mode=Node,RBAC \\\\\r\n  --bind-address=0.0.0.0 \\\\\r\n  --client-ca-file=\/var\/lib\/kubernetes\/ca.pem \\\\\r\n  --enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota \\\\\r\n  --enable-swagger-ui=true \\\\\r\n  --encryption-provider-config=\/var\/lib\/kubernetes\/encryption-config.yaml \\\\\r\n  --etcd-cafile=\/var\/lib\/kubernetes\/ca.pem \\\\\r\n  --etcd-certfile=\/var\/lib\/kubernetes\/kubernetes.pem \\\\\r\n  --etcd-keyfile=\/var\/lib\/kubernetes\/kubernetes-key.pem \\\\\r\n  --etcd-servers=https:\/\/10.240.0.10:2379,https:\/\/10.240.0.11:2379,https:\/\/10.240.0.12:2379 \\\\\r\n  --event-ttl=1h \\\\\r\n  --kubelet-certificate-authority=\/var\/lib\/kubernetes\/ca.pem \\\\\r\n  --kubelet-client-certificate=\/var\/lib\/kubernetes\/kubernetes.pem \\\\\r\n  --kubelet-client-key=\/var\/lib\/kubernetes\/kubernetes-key.pem \\\\\r\n  --kubelet-https=true \\\\\r\n  --runtime-config=api\/all \\\\\r\n  --service-account-key-file=\/var\/lib\/kubernetes\/service-account.pem \\\\\r\n  --service-cluster-ip-range=10.32.0.0\/24 \\\\\r\n  --service-node-port-range=30000-32767 \\\\\r\n  --tls-cert-file=\/var\/lib\/kubernetes\/kubernetes.pem \\\\\r\n  --tls-private-key-file=\/var\/lib\/kubernetes\/kubernetes-key.pem \\\\\r\n  --v=2\r\nRestart=on-failure\r\nRestartSec=5\r\n\r\n[Install]\r\nWantedBy=multi-user.target\r\nEOF\r\n<\/code><\/pre>\n
\u53c2\u8003: https:\/\/kubernetes.io\/docs\/reference\/command-line-tools-reference\/kube-apiserver\/<\/p>\n
\u53c2\u8003\uff1ahttps:\/\/kubernetes.io\/docs\/reference\/command-line-tools-reference\/kube-apiserver\/<\/p>\n
Kubernetes \u63a7\u5236\u5668\u7ba1\u7406\u5668\u7684\u914d\u7f6e\u8bbe\u7f6e<\/h3>\n
\u5c06kube-controller-manager\u7684kubeconfig\u6587\u4ef6\u79fb\u52a8\u3002<\/p>\n
sudo mv kube-controller-manager.kubeconfig \/var\/lib\/kubernetes\/\r\n<\/code><\/pre>\n
\u751f\u6210 kube-controller-manager.service \u7684 systemd \u5355\u5143\u6587\u4ef6\u3002<\/p>\n
cat <<EOF | sudo tee \/etc\/systemd\/system\/kube-controller-manager.service\r\n[Unit]\r\nDescription=Kubernetes Controller Manager\r\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\r\n\r\n[Service]\r\nExecStart=\/usr\/local\/bin\/kube-controller-manager \\\\\r\n  --address=0.0.0.0 \\\\\r\n  --cluster-cidr=10.200.0.0\/16 \\\\\r\n  --cluster-name=kubernetes \\\\\r\n  --cluster-signing-cert-file=\/var\/lib\/kubernetes\/ca.pem \\\\\r\n  --cluster-signing-key-file=\/var\/lib\/kubernetes\/ca-key.pem \\\\\r\n  --kubeconfig=\/var\/lib\/kubernetes\/kube-controller-manager.kubeconfig \\\\\r\n  --leader-elect=true \\\\\r\n  --root-ca-file=\/var\/lib\/kubernetes\/ca.pem \\\\\r\n  --service-account-private-key-file=\/var\/lib\/kubernetes\/service-account-key.pem \\\\\r\n  --service-cluster-ip-range=10.32.0.0\/24 \\\\\r\n  --use-service-account-credentials=true \\\\\r\n  --v=2\r\nRestart=on-failure\r\nRestartSec=5\r\n\r\n[Install]\r\nWantedBy=multi-user.target\r\nEOF\r\n<\/code><\/pre>\n
Kubernetes\u8c03\u5ea6\u7a0b\u5e8f\u7684\u914d\u7f6e<\/h3>\n
sudo mkdir -p \/etc\/kubernetes\/config\/\r\n<\/code><\/pre>\n
\u5c06kube-scheduler\u7684kubeconfig\u6587\u4ef6\u79fb\u52a8\u3002<\/p>\n
sudo mv kube-scheduler.kubeconfig \/var\/lib\/kubernetes\/\r\n<\/code><\/pre>\n
\u6211\u4f1a\u521b\u5efa\u4e00\u4e2a\u540d\u4e3akube-scheduler.yaml\u7684\u6587\u4ef6\u3002<\/p>\n
cat <<EOF | sudo tee \/etc\/kubernetes\/config\/kube-scheduler.yaml\r\napiVersion: kubescheduler.config.k8s.io\/v1alpha1\r\nkind: KubeSchedulerConfiguration\r\nclientConnection:\r\n  kubeconfig: \"\/var\/lib\/kubernetes\/kube-scheduler.kubeconfig\"\r\nleaderElection:\r\n  leaderElect: true\r\nEOF\r\n<\/code><\/pre>\n
\u751f\u6210kube-scheduler.service\u7684systemd\u5355\u5143\u6587\u4ef6\u3002<\/p>\n
cat <<EOF | sudo tee \/etc\/systemd\/system\/kube-scheduler.service\r\n[Unit]\r\nDescription=Kubernetes Scheduler\r\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\r\n\r\n[Service]\r\nExecStart=\/usr\/local\/bin\/kube-scheduler \\\\\r\n  --config=\/etc\/kubernetes\/config\/kube-scheduler.yaml \\\\\r\n  --v=2\r\nRestart=on-failure\r\nRestartSec=5\r\n\r\n[Install]\r\nWantedBy=multi-user.target\r\nEOF\r\n<\/code><\/pre>\n
\u63a7\u5236\u5668\u670d\u52a1\u7684\u542f\u52a8<\/h3>\n
sudo systemctl daemon-reload\r\nsudo systemctl enable kube-apiserver kube-controller-manager kube-scheduler\r\nsudo systemctl start kube-apiserver kube-controller-manager kube-scheduler\r\n<\/code><\/pre>\n
Kubernetes API\u670d\u52a1\u5668\u9700\u8981\u5927\u7ea630\u79d2\u7684\u65f6\u95f4\u5b8c\u6210\u521d\u59cb\u5316\u3002<\/p><\/blockquote>\n
\u6211\u5c06\u68c0\u67e5\u63a7\u5236\u5668\u7ec4\u4ef6\u7684\u72b6\u6001\u3002<\/p>\n
kubectl get componentstatuses\r\n<\/code><\/pre>\n
\u53d1\u6325\u6f5c\u80fd<\/p>\n
NAME                 STATUS    MESSAGE             ERROR\r\ncontroller-manager   Healthy   ok\r\nscheduler            Healthy   ok\r\netcd-0               Healthy   {\"health\":\"true\"}\r\netcd-2               Healthy   {\"health\":\"true\"}\r\netcd-1               Healthy   {\"health\":\"true\"}\r\n<\/code><\/pre>\n
\u592a\u597d\u4e86\uff01\u63a7\u5236\u9762\u677f\u5df2\u7ecf\u542f\u52a8\u4e86\uff01<\/p>\n
kubelet\u7684RBAC\u8eab\u4efd\u9a8c\u8bc1<\/h2>\n
\u5728\u8fd9\u4e2a\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u4f7f\u7528RBAC\u8bbe\u7f6e\u8bbf\u95ee\u6743\u9650\uff0c\u4f7fKubernetes API\u670d\u52a1\u5668\u80fd\u591f\u8bbf\u95ee\u6bcf\u4e2a\u5de5\u4f5c\u8282\u70b9\u7684Kubelet API\u3002<\/p>\n
\u8981\u83b7\u53d6\u6307\u6807\u548c\u65e5\u5fd7\u4fe1\u606f\uff0c\u4ee5\u53ca\u5728Pod\u5185\u6267\u884c\u547d\u4ee4\uff0c\u9700\u8981\u901a\u8fc7Kubernetes API\u670d\u52a1\u5668\u8bbf\u95ee\u5230Kubelet API\u3002<\/p>\n
\u5728\u672c\u6559\u7a0b\u4e2d\uff0c\u6211\u4eec\u5c06\u4e3aKubelet\u7684authorization-mode\u6807\u5fd7\u8bbe\u7f6e\u4e3aWebhook\u3002
\nWebhook\u6a21\u5f0f\u5c06\u4f7f\u7528SubjectAccessReview API\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u3002<\/p><\/blockquote>\n
\u8bf7\u767b\u5f55\u5230\u9002\u5f53\u7684\u63a7\u5236\u8282\u70b9\uff0c\u5e76\u4ec5\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u4e00\u6b21\uff0c\u8fd9\u5c06\u5728\u6574\u4e2a\u96c6\u7fa4\u4e2d\u53d1\u6325\u4f5c\u7528\u3002\u4e3a\u4e86\u907f\u514d\u51fa\u9519\uff0c\u4ee5\u4e0b\u662f\u4ece\u90e8\u7f72\u5b9e\u4f8b\u767b\u5f55\u5230controller-0\u8282\u70b9\u7684\u6b65\u9aa4\u3002<\/p>\n
external_ip=$(aws ec2 describe-instances \\\r\n    --filters \"Name=tag:Name,Values=controller-0\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n\r\nssh -i kubernetes.id_rsa ubuntu@${external_ip}\r\n<\/code><\/pre>\n
\u6211\u4eec\u5c06\u521b\u5efa\u4e00\u4e2a\u540d\u4e3akube-apiserver-to-kubelet\u7684ClusterRole\u3002<\/p>\n
\u6211\u5011\u5c07\u6388\u4e88\u9019\u500b\u89d2\u8272\u5c0d Kubelet API \u7684\u8a2a\u554f\u6b0a\u9650\uff0c\u4ee5\u57f7\u884c\u8207\u7ba1\u7406\u83a2\u8259\u76f8\u95dc\u7684\u4efb\u52d9\u3002<\/p>\n
cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -\r\napiVersion: rbac.authorization.k8s.io\/v1beta1\r\nkind: ClusterRole\r\nmetadata:\r\n  annotations:\r\n    rbac.authorization.kubernetes.io\/autoupdate: \"true\"\r\n  labels:\r\n    kubernetes.io\/bootstrapping: rbac-defaults\r\n  name: system:kube-apiserver-to-kubelet\r\nrules:\r\n  - apiGroups:\r\n      - \"\"\r\n    resources:\r\n      - nodes\/proxy\r\n      - nodes\/stats\r\n      - nodes\/log\r\n      - nodes\/spec\r\n      - nodes\/metrics\r\n    verbs:\r\n      - \"*\"\r\nEOF\r\n<\/code><\/pre>\n
Kubernetes API\u670d\u52a1\u5668\u5c06\u4f7f\u7528\u901a\u8fc7–kubelet-client-certificate\u6807\u5fd7\u5b9a\u4e49\u7684\u5ba2\u6237\u7aef\u8bc1\u4e66\u6765\u5bf9Kubelet\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\uff0c\u4f5c\u4e3aKubernetes\u7528\u6237\u3002<\/p>\n
\u5c06kube-apiserver-to-kubelet\u7684ClusterRole\u7ed1\u5b9a\u7ed9kubernetes\u7528\u6237\u3002<\/p>\n
cat <<EOF | kubectl apply --kubeconfig admin.kubeconfig -f -\r\napiVersion: rbac.authorization.k8s.io\/v1beta1\r\nkind: ClusterRoleBinding\r\nmetadata:\r\n  name: system:kube-apiserver\r\n  namespace: \"\"\r\nroleRef:\r\n  apiGroup: rbac.authorization.k8s.io\r\n  kind: ClusterRole\r\n  name: system:kube-apiserver-to-kubelet\r\nsubjects:\r\n  - apiGroup: rbac.authorization.k8s.io\r\n    kind: User\r\n    name: kubernetes\r\nEOF\r\n<\/code><\/pre>\n
\u542f\u7528Kubernetes\u96c6\u7fa4\u7684\u516c\u5171\u7ec8\u7ed3\u70b9<\/h3>\n
\u8bf7\u5728\u90e8\u7f72\u5b9e\u4f8b\uff08\u7528\u4e8e\u521b\u5efa\u5404\u4e2aAWS\u8d44\u6e90\u7684\u5b9e\u4f8b\uff09\u4e0a\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u3002<\/p>\n
\u83b7\u53d6Kubernetes-the-hard-way\u8d1f\u8f7d\u5747\u8861\u5668\u7684\u5730\u5740\u3002<\/p>\n
KUBERNETES_PUBLIC_ADDRESS=$(aws elbv2 describe-load-balancers \\\r\n  --load-balancer-arns ${LOAD_BALANCER_ARN} \\\r\n  --output text --query 'LoadBalancers[].DNSName')\r\n<\/code><\/pre>\n
\u521b\u5efaHTTP\u8bf7\u6c42\u5e76\u83b7\u53d6Kubernetes\u7248\u672c\u4fe1\u606f\u3002<\/p>\n
curl -k --cacert ca.pem https:\/\/${KUBERNETES_PUBLIC_ADDRESS}\/version\r\n<\/code><\/pre>\n
\u8f93\u51fa\u793a\u4f8b<\/p>\n
{\r\n  \"major\": \"1\",\r\n  \"minor\": \"13\",\r\n  \"gitVersion\": \"v1.13.4\",\r\n  \"gitCommit\": \"c27b913fddd1a6c480c229191a087698aa92f0b1\",\r\n  \"gitTreeState\": \"clean\",\r\n  \"buildDate\": \"2019-02-28T13:30:26Z\",\r\n  \"goVersion\": \"go1.11.5\",\r\n  \"compiler\": \"gc\",\r\n  \"platform\": \"linux\/amd64\"\r\n}\r\n<\/code><\/pre>\n
09-\u542f\u52a8\u5de5\u4f5c\u8282\u70b9<\/h1>\n
\u5728\u8fd9\u4e00\u6b65\u4e2d\uff0c\u6211\u4eec\u5c06\u5f15\u5bfc\u4e09\u4e2aKubernetes\u5de5\u4f5c\u8282\u70b9\u3002<\/p>\n
\u5c06\u4e0b\u9762\u7684\u7ec4\u4ef6\u5b89\u88c5\u5230\u6bcf\u4e2a\u8282\u70b9\u4e0a\u3002<\/p>\n
runc, gVisor, \u5bb9\u5668\u7f51\u7edc\u63d2\u4ef6, containerd, kubelet, kube-proxy<\/p>\n
\u51c6\u5907<\/h2>\n
\u8fd9\u4e9b\u6b65\u9aa4\u4e2d\u6240\u63d0\u5230\u7684\u547d\u4ee4\u9700\u8981\u5728worker-0\u3001worker-1\u3001worker-2\u7684\u6bcf\u4e2a\u5de5\u4f5c\u8282\u70b9\u4e0a\u6267\u884c\u3002<\/p>\n
\u4e3a\u6b64\uff0c\u9996\u5148\u4f7f\u7528ssh\u547d\u4ee4\u767b\u5f55\u5230\u6bcf\u4e2a\u5de5\u4f5c\u8282\u70b9\u3002<\/p>\n
for instance in worker-0 worker-1 worker-2; do\r\n  external_ip=$(aws ec2 describe-instances \\\r\n    --filters \"Name=tag:Name,Values=${instance}\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n\r\n  echo ssh -i kubernetes.id_rsa ubuntu@$external_ip\r\ndone\r\n<\/code><\/pre>\n
\u4ece\u8fd9\u91cc\u5f00\u59cb\uff0c\u6309\u7167\u5148\u524d\u7684\u547d\u4ee4\u8f93\u51fa\u7684\u6bcf\u4e2aIP\u5730\u5740\u8fdb\u884cssh\u8fde\u63a5\u3002\uff08\u6362\u53e5\u8bdd\u8bf4\uff0c\u9700\u8981\u5728\u6240\u6709\u4e09\u4e2a\u5b9e\u4f8b\u4e0a\u6267\u884c\u76f8\u540c\u7684\u547d\u4ee4\uff09<\/p>\n
\u4f7f\u7528tmux\u5e76\u884c\u8fd0\u884c\u547d\u4ee4\u3002<\/h3>\n
\u5982\u679c\u4f7f\u7528tmux\uff0c\u60a8\u53ef\u4ee5\u8f7b\u677e\u5730\u5728\u591a\u4e2a\u5b9e\u4f8b\u4e2d\u540c\u65f6\u8fd0\u884c\u547d\u4ee4\u3002\u8bf7\u67e5\u770b \u8fd9\u91cc\u3002<\/p>\n
Kubernetes\u5de5\u4f5c\u8282\u70b9\u7684\u914d\u7f6e\u8bbe\u7f6e<\/h2>\n
\u5b89\u88c5\u6240\u9700\u7684\u5e93\u3002<\/p>\n
sudo apt-get update\r\nsudo apt-get -y install socat conntrack ipset\r\n<\/code><\/pre>\n
socat\u662fkubectl port-forward\u547d\u4ee4\u6240\u5fc5\u9700\u7684\u3002<\/p><\/blockquote>\n
\u4e0b\u8f7d\u5e76\u5b89\u88c5\u5de5\u4f5c\u4eba\u5458\u7684\u4e8c\u8fdb\u5236\u6587\u4ef6\u3002<\/h3>\n
wget -q --show-progress --https-only --timestamping \\\r\n  https:\/\/github.com\/kubernetes-sigs\/cri-tools\/releases\/download\/v1.15.0\/crictl-v1.15.0-linux-amd64.tar.gz \\\r\n  https:\/\/storage.googleapis.com\/kubernetes-the-hard-way\/runsc \\\r\n  https:\/\/github.com\/opencontainers\/runc\/releases\/download\/v1.0.0-rc8\/runc.amd64 \\\r\n  https:\/\/github.com\/containernetworking\/plugins\/releases\/download\/v0.8.2\/cni-plugins-linux-amd64-v0.8.2.tgz \\\r\n  https:\/\/github.com\/containerd\/containerd\/releases\/download\/v1.2.9\/containerd-1.2.9.linux-amd64.tar.gz \\\r\n  https:\/\/storage.googleapis.com\/kubernetes-release\/release\/v1.15.3\/bin\/linux\/amd64\/kubectl \\\r\n  https:\/\/storage.googleapis.com\/kubernetes-release\/release\/v1.15.3\/bin\/linux\/amd64\/kube-proxy \\\r\n  https:\/\/storage.googleapis.com\/kubernetes-release\/release\/v1.15.3\/bin\/linux\/amd64\/kubelet\r\n<\/code><\/pre>\n
\u6211\u521b\u5efa\u4e86\u8981\u5b89\u88c5\u7684\u76ee\u5f55\u3002<\/p>\n
sudo mkdir -p \\\r\n  \/etc\/cni\/net.d \\\r\n  \/opt\/cni\/bin \\\r\n  \/var\/lib\/kubelet \\\r\n  \/var\/lib\/kube-proxy \\\r\n  \/var\/lib\/kubernetes \\\r\n  \/var\/run\/kubernetes\r\n<\/code><\/pre>\n
\u5b89\u88c5\u5de5\u4eba\u4e8c\u8fdb\u5236\u6587\u4ef6\u3002<\/p>\n
chmod +x kubectl kube-proxy kubelet runc.amd64 runsc\r\nsudo mv runc.amd64 runc\r\nsudo mv kubectl kube-proxy kubelet runc runsc \/usr\/local\/bin\/\r\nsudo tar -xvf crictl-v1.15.0-linux-amd64.tar.gz -C \/usr\/local\/bin\/\r\nsudo tar -xvf cni-plugins-linux-amd64-v0.8.2.tgz -C \/opt\/cni\/bin\/\r\nsudo tar -xvf containerd-1.2.9.linux-amd64.tar.gz -C \/\r\n<\/code><\/pre>\n
CNI\u7f51\u7edc\u914d\u7f6e<\/h3>\n
\u83b7\u53d6\u5f53\u524dEC2\u5b9e\u4f8b\u7684Pod\u7684CIDR\u8303\u56f4\u3002<\/p>\n
POD_CIDR=$(curl -s http:\/\/169.254.169.254\/latest\/user-data\/ \\\r\n  | tr \"|\" \"\\n\" | grep \"^pod-cidr\" | cut -d\"=\" -f2)\r\necho \"${POD_CIDR}\"\r\n<\/code><\/pre>\n
\u6211\u5c06\u521b\u5efa\u4e00\u4e2a\u6865\u63a5\u7f51\u7edc\u7684\u8bbe\u7f6e\u6587\u4ef6\u3002<\/p>\n
cat <<EOF | sudo tee \/etc\/cni\/net.d\/10-bridge.conf\r\n{\r\n    \"cniVersion\": \"0.3.1\",\r\n    \"name\": \"bridge\",\r\n    \"type\": \"bridge\",\r\n    \"bridge\": \"cnio0\",\r\n    \"isGateway\": true,\r\n    \"ipMasq\": true,\r\n    \"ipam\": {\r\n        \"type\": \"host-local\",\r\n        \"ranges\": [\r\n          [{\"subnet\": \"${POD_CIDR}\"}]\r\n        ],\r\n        \"routes\": [{\"dst\": \"0.0.0.0\/0\"}]\r\n    }\r\n}\r\nEOF\r\n<\/code><\/pre>\n
\u6211\u5c06\u521b\u5efa\u4e00\u4e2a\u56de\u73af\u7f51\u7edc\u7684\u914d\u7f6e\u6587\u4ef6\u3002<\/p>\n
cat <<EOF | sudo tee \/etc\/cni\/net.d\/99-loopback.conf\r\n{\r\n    \"cniVersion\": \"0.3.1\",\r\n    \"type\": \"loopback\"\r\n}\r\nEOF\r\n<\/code><\/pre>\n
containerd\u7684\u914d\u7f6e<\/h3>\n
\u6211\u4f1a\u521b\u5efacontainerd\u7684\u914d\u7f6e\u6587\u4ef6\u3002<\/p>\n
sudo mkdir -p \/etc\/containerd\/\r\n<\/code><\/pre>\n
cat << EOF | sudo tee \/etc\/containerd\/config.toml\r\n[plugins]\r\n  [plugins.cri.containerd]\r\n    snapshotter = \"overlayfs\"\r\n    [plugins.cri.containerd.default_runtime]\r\n      runtime_type = \"io.containerd.runtime.v1.linux\"\r\n      runtime_engine = \"\/usr\/local\/bin\/runc\"\r\n      runtime_root = \"\"\r\n    [plugins.cri.containerd.untrusted_workload_runtime]\r\n      runtime_type = \"io.containerd.runtime.v1.linux\"\r\n      runtime_engine = \"\/usr\/local\/bin\/runsc\"\r\n      runtime_root = \"\/run\/containerd\/runsc\"\r\nEOF\r\n<\/code><\/pre>\n
\u5982\u679c\u5b58\u5728\u4e0d\u53ef\u4fe1\u7684\u5de5\u4f5c\u8d1f\u8f7d\uff0c\u5c06\u4f7f\u7528gVisor\uff08runsc\uff09\u8fd0\u884c\u65f6\u3002<\/p><\/blockquote>\n
\u6211\u5c06\u521b\u5efa\u4e00\u4e2acontainerd.service\u7684systemd unit\u6587\u4ef6\u3002<\/p>\n
cat <<EOF | sudo tee \/etc\/systemd\/system\/containerd.service\r\n[Unit]\r\nDescription=containerd container runtime\r\nDocumentation=https:\/\/containerd.io\r\nAfter=network.target\r\n\r\n[Service]\r\nExecStartPre=\/sbin\/modprobe overlay\r\nExecStart=\/bin\/containerd\r\nRestart=always\r\nRestartSec=5\r\nDelegate=yes\r\nKillMode=process\r\nOOMScoreAdjust=-999\r\nLimitNOFILE=1048576\r\nLimitNPROC=infinity\r\nLimitCORE=infinity\r\n\r\n[Install]\r\nWantedBy=multi-user.target\r\nEOF\r\n<\/code><\/pre>\n
Kubelet\u7684\u914d\u7f6e\u3002<\/h3>\n
WORKER_NAME=$(curl -s http:\/\/169.254.169.254\/latest\/user-data\/ \\\r\n| tr \"|\" \"\\n\" | grep \"^name\" | cut -d\"=\" -f2)\r\necho \"${WORKER_NAME}\"\r\n\r\nsudo mv ${WORKER_NAME}-key.pem ${WORKER_NAME}.pem \/var\/lib\/kubelet\/\r\nsudo mv ${WORKER_NAME}.kubeconfig \/var\/lib\/kubelet\/kubeconfig\r\nsudo mv ca.pem \/var\/lib\/kubernetes\/\r\n<\/code><\/pre>\n
\u6211\u5c06\u521b\u5efakubelet-config.yaml\u914d\u7f6e\u6587\u4ef6\u3002<\/p>\n
cat <<EOF | sudo tee \/var\/lib\/kubelet\/kubelet-config.yaml\r\nkind: KubeletConfiguration\r\napiVersion: kubelet.config.k8s.io\/v1beta1\r\nauthentication:\r\n  anonymous:\r\n    enabled: false\r\n  webhook:\r\n    enabled: true\r\n  x509:\r\n    clientCAFile: \"\/var\/lib\/kubernetes\/ca.pem\"\r\nauthorization:\r\n  mode: Webhook\r\nclusterDomain: \"cluster.local\"\r\nclusterDNS:\r\n  - \"10.32.0.10\"\r\npodCIDR: \"${POD_CIDR}\"\r\nruntimeRequestTimeout: \"15m\"\r\ntlsCertFile: \"\/var\/lib\/kubelet\/${WORKER_NAME}.pem\"\r\ntlsPrivateKeyFile: \"\/var\/lib\/kubelet\/${WORKER_NAME}-key.pem\"\r\nresolvConf: \"\/run\/systemd\/resolve\/resolv.conf\"\r\nEOF\r\n<\/code><\/pre>\n
\u6211\u4f1a\u521b\u5efakubelet.servicesystemd\u5355\u5143\u6587\u4ef6\u3002<\/p>\n
cat <<EOF | sudo tee \/etc\/systemd\/system\/kubelet.service\r\n[Unit]\r\nDescription=Kubernetes Kubelet\r\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\r\nAfter=containerd.service\r\nRequires=containerd.service\r\n\r\n[Service]\r\nExecStart=\/usr\/local\/bin\/kubelet \\\\\r\n  --config=\/var\/lib\/kubelet\/kubelet-config.yaml \\\\\r\n  --container-runtime=remote \\\\\r\n  --container-runtime-endpoint=unix:\/\/\/var\/run\/containerd\/containerd.sock \\\\\r\n  --image-pull-progress-deadline=2m \\\\\r\n  --kubeconfig=\/var\/lib\/kubelet\/kubeconfig \\\\\r\n  --network-plugin=cni \\\\\r\n  --register-node=true \\\\\r\n  --v=2\r\nRestart=on-failure\r\nRestartSec=5\r\n\r\n[Install]\r\nWantedBy=multi-user.target\r\nEOF\r\n<\/code><\/pre>\n
Kubernetes\u4ee3\u7406\u7684\u8bbe\u7f6e<\/h3>\n
sudo mv kube-proxy.kubeconfig \/var\/lib\/kube-proxy\/kubeconfig\r\n<\/code><\/pre>\n
\u521b\u5efakube-proxy-config.yaml\u914d\u7f6e\u6587\u4ef6\u3002<\/p>\n
cat <<EOF | sudo tee \/var\/lib\/kube-proxy\/kube-proxy-config.yaml\r\nkind: KubeProxyConfiguration\r\napiVersion: kubeproxy.config.k8s.io\/v1alpha1\r\nclientConnection:\r\n  kubeconfig: \"\/var\/lib\/kube-proxy\/kubeconfig\"\r\nmode: \"iptables\"\r\nclusterCIDR: \"10.200.0.0\/16\"\r\nEOF\r\n<\/code><\/pre>\n
\u521b\u5efa kube-proxy-config.yaml \u914d\u7f6e\u6587\u4ef6\u3002<\/p>\n
cat <<EOF | sudo tee \/etc\/systemd\/system\/kube-proxy.service\r\n[Unit]\r\nDescription=Kubernetes Kube Proxy\r\nDocumentation=https:\/\/github.com\/kubernetes\/kubernetes\r\n\r\n[Service]\r\nExecStart=\/usr\/local\/bin\/kube-proxy \\\\\r\n  --config=\/var\/lib\/kube-proxy\/kube-proxy-config.yaml\r\nRestart=on-failure\r\nRestartSec=5\r\n\r\n[Install]\r\nWantedBy=multi-user.target\r\nEOF\r\n<\/code><\/pre>\n
\u542f\u52a8\u5de5\u4eba\u670d\u52a1\u7ec4<\/h3>\n
sudo systemctl daemon-reload\r\nsudo systemctl enable containerd kubelet kube-proxy\r\nsudo systemctl start containerd kubelet kube-proxy\r\n<\/code><\/pre>\n
\u8bf7\u6ce8\u610f\uff0c\u4ee5\u4e0b\u64cd\u4f5c\u8bf7\u5728\u6bcf\u4e2a\u5de5\u4f5c\u8282\u70b9worker-0\uff0cworker-1\u548cworker-2\u4e0a\u6267\u884c\uff01<\/p><\/blockquote>\n
\u786e\u5b9a<\/h2>\n
\u76ee\u524d\u5de5\u4f5c\u4e2d\u7684\u5b9e\u4f8b\uff08\u5de5\u4f5c\u8282\u70b9\uff09\u6ca1\u6709\u6743\u9650\u5b8c\u6210\u6b64\u6b65\u9aa4\u3002
\n\u56e0\u6b64\uff0c\u8bf7\u767b\u5f55\u4efb\u610f\u63a7\u5236\u8282\u70b9\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u3002
\n\u4ee5\u4e0b\u547d\u4ee4\u662f\u4ece\u90e8\u7f72\u5b9e\u4f8b\uff08\u7528\u4e8e\u521b\u5efa\u5404AWS\u8d44\u6e90\u7684\u5b9e\u4f8b\uff09\u767b\u5f55\u5230controller-0\u8282\u70b9\u5f00\u59cb\u7684\u3002<\/p><\/blockquote>\n
\u663e\u793a\u5df2\u6ce8\u518c\u7684Kubernetes\u8282\u70b9\u5217\u8868\u3002<\/p>\n
external_ip=$(aws ec2 describe-instances \\\r\n    --filters \"Name=tag:Name,Values=controller-0\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n\r\nssh -i kubernetes.id_rsa ubuntu@${external_ip}\r\n\r\nkubectl get nodes --kubeconfig admin.kubeconfig\r\n<\/code><\/pre>\n
\u53d1\u6325\u4f5c\u7528<\/p>\n
NAME             STATUS   ROLES    AGE   VERSION\r\nip-10-240-0-20   Ready    <none>   51s   v1.13.4\r\nip-10-240-0-21   Ready    <none>   51s   v1.13.4\r\nip-10-240-0-22   Ready    <none>   51s   v1.13.4\r\n<\/code><\/pre>\n
socat, conntrack, ipset\u306e\u305d\u308c\u305e\u308c\u306e\u5f79\u5272\u304c\u3088\u304f\u308f\u304b\u3063\u3066\u3044\u306a\u3044\r\n\r\nAWS\u3001GCP\u3068\u3082\u306b169.254.169.254\u3068\u3044\u3046IP\u30a2\u30c9\u30ec\u30b9\u306f\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u30e1\u30bf\u30c7\u30fc\u30bf\u306e\u53d6\u5f97\u306b\u4f7f\u308f\u308c\u308b\r\n\r\nCNI\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306e\u8a2d\u5b9a\u306e\u6240\u3001\u4f55\u3084\u3063\u3066\u308b\u304b\u3082\u3046\u4e00\u5ea6\u5fa9\u7fd2\u3059\u308b\u5fc5\u8981\u3042\u308a\r\n<\/code><\/pre>\n
\u7528\u4e8e\u8fdc\u7a0b\u8bbf\u95ee\u7684kubectl\u914d\u7f6e\u6587\u4ef6-10<\/h1>\n
\u5728\u8fd9\u4e2a\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u57fa\u4e8eadmin\u7528\u6237\u7684\u51ed\u8bc1\u751f\u6210kubectl\u547d\u4ee4\u884c\u5b9e\u7528\u7a0b\u5e8f\u6240\u9700\u7684kubeconfig\u6587\u4ef6\u3002<\/p>\n
\u5728\u8fd9\u4e00\u6b65\u4e2d\uff0c\u8bf7\u5728\u4e0e\u7528\u4e8e\u751f\u6210admin\u5ba2\u6237\u7aef\u8bc1\u4e66\u7684\u76ee\u5f55\u76f8\u540c\u7684\u76ee\u5f55\u4e2d\u6267\u884c\u547d\u4ee4\u3002<\/p><\/blockquote>\n
Kubernetes\u7ba1\u7406\u8a2d\u5b9a\u6a94\u6848<\/h2>\n
\u6bcf\u4e2a kubeconfig \u9700\u8981\u80fd\u591f\u8fde\u63a5\u5230 Kubernetes API \u670d\u52a1\u5668\u3002<\/p>\n
\u4e3a\u4e86\u5b9e\u73b0\u9ad8\u53ef\u7528\u6027\uff0c\u6211\u4eec\u5c06\u4f7f\u7528\u5206\u914d\u7ed9Kubernetes API\u670d\u52a1\u5668\u524d\u7684\u5916\u90e8\u8d1f\u8f7d\u5747\u8861\u5668\u7684IP\u5730\u5740\u3002<\/p>\n
\u521b\u5efa\u9002\u7528\u4e8e\u7ba1\u7406\u5458\u7528\u6237\u8eab\u4efd\u9a8c\u8bc1\u7684kubeconfig\u6587\u4ef6\u3002<\/p>\n
KUBERNETES_PUBLIC_ADDRESS=$(aws elbv2 describe-load-balancers \\\r\n--load-balancer-arns ${LOAD_BALANCER_ARN} \\\r\n--output text --query 'LoadBalancers[].DNSName')\r\n\r\nkubectl config set-cluster kubernetes-the-hard-way \\\r\n  --certificate-authority=ca.pem \\\r\n  --embed-certs=true \\\r\n  --server=https:\/\/${KUBERNETES_PUBLIC_ADDRESS}:443\r\n\r\nkubectl config set-credentials admin \\\r\n  --client-certificate=admin.pem \\\r\n  --client-key=admin-key.pem\r\n\r\nkubectl config set-context kubernetes-the-hard-way \\\r\n  --cluster=kubernetes-the-hard-way \\\r\n  --user=admin\r\n\r\nkubectl config use-context kubernetes-the-hard-way\r\n<\/code><\/pre>\n
\u786e\u8ba4<\/h2>\n
\u786e\u8ba4\u8fdc\u7a0bKubernetes\u96c6\u7fa4\u7684\u5065\u5eb7\u68c0\u67e5\u3002<\/p>\n
kubectl get componentstatuses\r\n<\/code><\/pre>\n
\u4f8b\u5b50\u5982\u4e0b<\/p>\n
NAME                 STATUS    MESSAGE             ERROR\r\ncontroller-manager   Healthy   ok\r\nscheduler            Healthy   ok\r\netcd-1               Healthy   {\"health\":\"true\"}\r\netcd-2               Healthy   {\"health\":\"true\"}\r\netcd-0               Healthy   {\"health\":\"true\"}\r\n<\/code><\/pre>\n
\u83b7\u53d6\u8fdc\u7a0bKubernetes\u96c6\u7fa4\u8282\u70b9\u7684\u5217\u8868\u3002<\/p>\n
kubectl get nodes\r\n<\/code><\/pre>\n
\u4f8b\u5b50: \u751f\u4ea7\u529b\u7684\u6848\u4f8b<\/p>\n
NAME             STATUS   ROLES    AGE     VERSION\r\nip-10-240-0-20   Ready    <none>   3m35s   v1.13.4\r\nip-10-240-0-21   Ready    <none>   3m35s   v1.13.4\r\nip-10-240-0-22   Ready    <none>   3m35s   v1.13.4\r\n<\/code><\/pre>\n
11-\u914d\u7f6e\u96c6\u7fa4\u5185\u7f51\u7edc<\/h1>\n
\u5728\u8282\u70b9\u4e0a\u8c03\u5ea6\u7684Pod\u5c06\u4ece\u8282\u70b9\u7684Pod CIDR\u8303\u56f4\u4e2d\u63a5\u6536IP\u5730\u5740\u3002<\/p>\n
\u5728\u8fd9\u4e00\u65f6\u70b9\u4e0a\uff0c\u7531\u4e8e\u627e\u4e0d\u5230\u7f51\u7edc\u8def\u5f84\uff0c\u8be5Pod\u65e0\u6cd5\u4e0e\u5728\u4e0d\u540c\u8282\u70b9\u4e0a\u8fd0\u884c\u7684\u5176\u4ed6Pod\u8fdb\u884c\u901a\u4fe1\u3002<\/p>\n
\u5728\u6b64\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u4e3a\u6bcf\u4e2a\u5de5\u4f5c\u8282\u70b9\u521b\u5efa\u8def\u7531\uff0c\u4ee5\u5c06\u8282\u70b9\u7684Pod CIDR\u8303\u56f4\u6620\u5c04\u5230\u8282\u70b9\u7684\u5185\u90e8IP\u5730\u5740\u3002<\/p>\n
Kubernetes\u7684\u7f51\u7edc\u6a21\u578b\u5b9e\u73b0\u8fd8\u6709\u5176\u4ed6\u9009\u9879\u3002<\/p><\/blockquote>\n
\u8def\u7531\u8868\u548c\u8def\u7531\u96c6\u5408<\/h2>\n
\u5728\u8fd9\u4e2a\u90e8\u5206\uff0c\u6211\u4eec\u5c06\u6536\u96c6\u5728kubernetes-the-hard-way VPC\u7f51\u7edc\u5185\u521b\u5efa\u8def\u7531\u6240\u9700\u7684\u4fe1\u606f\u3002<\/p>\n
\u901a\u5e38\u60c5\u51b5\u4e0b\uff0c\u8fd9\u4e2a\u529f\u80fd\u7531 flannel\u3001calico\u3001amazon-vpc-cni-k8s \u7b49 CNI \u63d2\u4ef6\u63d0\u4f9b\u3002\u901a\u8fc7\u624b\u52a8\u64cd\u4f5c\u53ef\u4ee5\u66f4\u5bb9\u6613\u5730\u7406\u89e3\u8fd9\u4e9b\u63d2\u4ef6\u5728\u540e\u53f0\u6240\u505a\u7684\u5de5\u4f5c\u3002<\/p>\n
\u9996\u5148\uff0c\u6211\u4eec\u4f1a\u663e\u793a\u6bcf\u4e2a\u5de5\u4f5c\u5b9e\u4f8b\u7684\u5185\u90e8IP\u5730\u5740\u548cPod CIDR\u8303\u56f4\u3002<\/p>\n
for <\/span>instance in <\/span>worker-0 worker-1 worker-2;<\/span> do\r\n  <\/span>instance_id_ip<\/span>=<\/span>\"<\/span>$(<\/span>aws ec2 describe-instances \\<\/span>\r\n    --filters<\/span> \"Name=tag:Name,Values=<\/span>${<\/span>instance<\/span>}<\/span>\"<\/span> \\<\/span>\r\n    --output<\/span> text --query<\/span> 'Reservations[].Instances[].[InstanceId,PrivateIpAddress]'<\/span>)<\/span>\"<\/span>\r\n  instance_id<\/span>=<\/span>\"<\/span>$(<\/span>echo<\/span> \"<\/span>${<\/span>instance_id_ip<\/span>}<\/span>\"<\/span> | cut<\/span> -f1<\/span>)<\/span>\"<\/span>\r\n  instance_ip<\/span>=<\/span>\"<\/span>$(<\/span>echo<\/span> \"<\/span>${<\/span>instance_id_ip<\/span>}<\/span>\"<\/span> | cut<\/span> -f2<\/span>)<\/span>\"<\/span>\r\n  pod_cidr<\/span>=<\/span>\"<\/span>$(<\/span>aws ec2 describe-instance-attribute \\<\/span>\r\n    --instance-id<\/span> \"<\/span>${<\/span>instance_id<\/span>}<\/span>\"<\/span> \\<\/span>\r\n    --attribute<\/span> userData \\<\/span>\r\n    --output<\/span> text --query<\/span> 'UserData.Value'<\/span> \\<\/span>\r\n    | base64<\/span> --decode<\/span> | tr<\/span> \"|\"<\/span> \"<\/span>\\n<\/span>\"<\/span> | grep<\/span> \"^pod-cidr\"<\/span> | cut<\/span> -d<\/span>'='<\/span> -f2<\/span>)<\/span>\"<\/span>\r\n  echo<\/span> \"<\/span>${<\/span>instance_ip<\/span>}<\/span> ${<\/span>pod_cidr<\/span>}<\/span>\"<\/span>\r\n\r\n  aws ec2 create-route \\<\/span>\r\n    --route-table-id<\/span> \"<\/span>${<\/span>ROUTE_TABLE_ID<\/span>}<\/span>\"<\/span> \\<\/span>\r\n    --destination-cidr-block<\/span> \"<\/span>${<\/span>pod_cidr<\/span>}<\/span>\"<\/span> \\<\/span>\r\n    --instance-id<\/span> \"<\/span>${<\/span>instance_id<\/span>}<\/span>\"<\/span>\r\ndone<\/span>\r\n<\/code><\/pre>\n
\u751f\u4ea7\u793a\u4f8b<\/p>\n
10.240.0.20 10.200.0.0\/24\r\n{\r\n    \"Return\": true\r\n}\r\n10.240.0.21 10.200.1.0\/24\r\n{\r\n    \"Return\": true\r\n}\r\n10.240.0.22 10.200.2.0\/24\r\n{\r\n    \"Return\": true\r\n}\r\n<\/code><\/pre>\n
\u786e\u8ba4\u8def\u7ebf<\/h2>\n
\u68c0\u67e5\u6bcf\u4e2a\u5de5\u4f5c\u5b9e\u4f8b\u7684\u7f51\u7edc\u8def\u7531\u3002<\/p>\n
aws ec2 describe-route-tables \\<\/span>\r\n  --route-table-ids<\/span> \"<\/span>${<\/span>ROUTE_TABLE_ID<\/span>}<\/span>\"<\/span> \\<\/span>\r\n  --query<\/span> 'RouteTables[].Routes'<\/span>\r\n<\/code><\/pre>\n
\u4f8b\u5b50\u8f93\u5165\u8f93\u51fa<\/p>\n
[\r\n    [\r\n        {\r\n            \"DestinationCidrBlock\": \"10.200.0.0\/24\",\r\n            \"InstanceId\": \"i-0879fa49c49be1a3e\",\r\n            \"InstanceOwnerId\": \"107995894928\",\r\n            \"NetworkInterfaceId\": \"eni-0612e82f1247c6282\",\r\n            \"Origin\": \"CreateRoute\",\r\n            \"State\": \"active\"\r\n        },\r\n        {\r\n            \"DestinationCidrBlock\": \"10.200.1.0\/24\",\r\n            \"InstanceId\": \"i-0db245a70483daa43\",\r\n            \"InstanceOwnerId\": \"107995894928\",\r\n            \"NetworkInterfaceId\": \"eni-0db39a19f4f3970f8\",\r\n            \"Origin\": \"CreateRoute\",\r\n            \"State\": \"active\"\r\n        },\r\n        {\r\n            \"DestinationCidrBlock\": \"10.200.2.0\/24\",\r\n            \"InstanceId\": \"i-0b93625175de8ee43\",\r\n            \"InstanceOwnerId\": \"107995894928\",\r\n            \"NetworkInterfaceId\": \"eni-0cc95f34f747734d3\",\r\n            \"Origin\": \"CreateRoute\",\r\n            \"State\": \"active\"\r\n        },\r\n        {\r\n            \"DestinationCidrBlock\": \"10.240.0.0\/24\",\r\n            \"GatewayId\": \"local\",\r\n            \"Origin\": \"CreateRouteTable\",\r\n            \"State\": \"active\"\r\n        },\r\n        {\r\n            \"DestinationCidrBlock\": \"0.0.0.0\/0\",\r\n            \"GatewayId\": \"igw-00d618a99e45fa508\",\r\n            \"Origin\": \"CreateRoute\",\r\n            \"State\": \"active\"\r\n        }\r\n    ]\r\n]\r\n<\/code><\/pre>\n
\u5f15\u516512-DNS\u96c6\u7fa4\u63d2\u4ef6<\/h1>\n
\u5728\u8fd9\u4e2a\u6b65\u9aa4\u4e2d\uff0c\u56e0\u4e3a\u8bf4\u660e\u548c\u547d\u4ee4\u6709\u6240\u4e0d\u4e00\u81f4\uff0c\u6240\u4ee5\u8fdb\u884c\u4e86\u4fee\u6b63\u3002<\/p>\n
\u5728\u8fd9\u4e2a\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u90e8\u7f72\u4e00\u4e2a\u4f7f\u7528CoreDNS\u7684DNS\u63d2\u4ef6\uff0c\u4e3a\u5728Kubernetes\u96c6\u7fa4\u4e2d\u8fd0\u884c\u7684\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u57fa\u4e8eDNS\u7684\u670d\u52a1\u53d1\u73b0\u3002<\/p>\n
DNS\u96c6\u7fa4\u9644\u52a0\u7ec4\u4ef6<\/h2>\n
\u90e8\u7f72Coredns\u96c6\u7fa4\u9644\u52a0\u7ec4\u4ef6\u3002<\/p>\n
kubectl create -f https:\/\/raw.githubusercontent.com\/prabhatsharma\/kubernetes-the-hard-way-aws\/master\/deployments\/core-dns.yaml\r\n<\/code><\/pre>\n
\u53d1\u6325<\/p>\n
serviceaccount\/coredns created\r\nclusterrole.rbac.authorization.k8s.io\/system:coredns created\r\nclusterrolebinding.rbac.authorization.k8s.io\/system:coredns created\r\nconfigmap\/coredns created\r\ndeployment.apps\/coredns created\r\nservice\/kube-dns created\r\n<\/code><\/pre>\n
\u901a\u8fc7kube-dns\u90e8\u7f72\u521b\u5efa\u7684Pod\u7684\u786e\u8ba4\u3002<\/p>\n
kubectl get pods -l k8s-app=kube-dns -n kube-system\r\n<\/code><\/pre>\n
\u4ea7\u51fa\u4f8b<\/p>\n
NAME                      READY   STATUS    RESTARTS   AGE\r\ncoredns-7946767f6-trbvx   1\/1     Running   0          42s\r\n<\/code><\/pre>\n
\u786e\u5b9a<\/h2>\n
\u521b\u5efabusybox\u90e8\u7f72\u3002<\/p>\n
kubectl run busybox --image=busybox:1.28 --restart=Never -- sleep 3600\r\n<\/code><\/pre>\n
\u901a\u8fc7Busybox\u90e8\u7f72\u6765\u68c0\u67e5\u521b\u5efa\u7684Pod\u3002<\/p>\n
kubectl get pod busybox\r\n<\/code><\/pre>\n
\u53d1\u6325\u80fd\u529b<\/p>\n
NAME       READY     STATUS    RESTARTS   AGE\r\nbusybox   1\/1       Running   0          45s\r\n<\/code><\/pre>\n
\u6211\u5c06\u5728busybox\u7684Pod\u5185\u6267\u884c\u5bf9kubernetesservice\u7684DNS\u67e5\u8be2\u3002<\/p>\n
kubectl exec -it busybox -- nslookup kubernetes\r\n<\/code><\/pre>\n
\u53d1\u6325\u6548\u80fd<\/p>\n
Server:    10.32.0.10\r\nAddress 1: 10.32.0.10 kube-dns.kube-system.svc.cluster.local\r\n\r\nName:      kubernetes\r\nAddress 1: 10.32.0.1 kubernetes.default.svc.cluster.local\r\n<\/code><\/pre>\n
13-\u70df\u96fe\u6d4b\u8bd5 (13 –<\/h1>\n
\u5728\u8fd9\u4e2a\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u6267\u884c\u4efb\u52a1\u6765\u786e\u8ba4 Kubernetes \u96c6\u7fa4\u6b63\u5e38\u8fd0\u884c\u3002<\/p>\n
\u6570\u636e\u52a0\u5bc6<\/h2>\n
\u5728\u8fd9\u4e2a\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u786e\u8ba4\u5df2\u4fdd\u5b58\u6570\u636e\u7684\u52a0\u5bc6\u3002<\/p>\n
\u6211\u4f1a\u5236\u4f5c\u4e00\u4e2a\u901a\u7528\u7684\u79d8\u5bc6\u3002<\/p>\n
kubectl create secret generic kubernetes-the-hard-way --from-literal<\/span>=<\/span>\"mykey=mydata\"<\/span>\r\n<\/code><\/pre>\n
\u5c06\u5b58\u50a8\u5728etcd\u4e2d\u7684kubernetes-the-hard-way\u7684secret\u8fdb\u884c\u5341\u516d\u8fdb\u5236\u8f6c\u50a8\u3002<\/p>\n
external_ip<\/span>=<\/span>$(<\/span>aws ec2 describe-instances \\<\/span>\r\n  --filters<\/span> \"Name=tag:Name,Values=controller-0\"<\/span> \\<\/span>\r\n  --output<\/span> text --query<\/span> 'Reservations[].Instances[].PublicIpAddress'<\/span>)<\/span>\r\n\r\nssh -i<\/span> kubernetes.id_rsa ubuntu@${<\/span>external_ip<\/span>}<\/span>\r\n<\/code><\/pre>\n
\u5728controller-0\u8282\u70b9\u4e0a\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u3002<\/p>\n
sudo <\/span>ETCDCTL_API<\/span>=<\/span>3 etcdctl get \\<\/span>\r\n  --endpoints<\/span>=<\/span>https:\/\/127.0.0.1:2379 \\<\/span>\r\n  --cacert<\/span>=<\/span>\/etc\/etcd\/ca.pem \\<\/span>\r\n  --cert<\/span>=<\/span>\/etc\/etcd\/kubernetes.pem \\<\/span>\r\n  --key<\/span>=<\/span>\/etc\/etcd\/kubernetes-key.pem\\<\/span>\r\n  \/registry\/secrets\/default\/kubernetes-the-hard-way | hexdump -C<\/span>\r\n<\/code><\/pre>\n
\u53d1\u6325\u80fd\u529b<\/p>\n
00000000  2f 72 65 67 69 73 74 72  79 2f 73 65 63 72 65 74  |\/registry\/secret|\r\n00000010  73 2f 64 65 66 61 75 6c  74 2f 6b 75 62 65 72 6e  |s\/default\/kubern|\r\n00000020  65 74 65 73 2d 74 68 65  2d 68 61 72 64 2d 77 61  |etes-the-hard-wa|\r\n00000030  79 0a 6b 38 73 3a 65 6e  63 3a 61 65 73 63 62 63  |y.k8s:enc:aescbc|\r\n00000040  3a 76 31 3a 6b 65 79 31  3a 7b 8e 59 78 0f 59 09  |:v1:key1:{.Yx.Y.|\r\n00000050  e2 6a ce cd f4 b6 4e ec  bc 91 aa 87 06 29 39 8d  |.j....N......)9.|\r\n00000060  70 e8 5d c4 b1 66 69 49  60 8f c0 cc 55 d3 69 2b  |p.]..fiI`...U.i+|\r\n00000070  49 bb 0e 7b 90 10 b0 85  5b b1 e2 c6 33 b6 b7 31  |I..{....[...3..1|\r\n00000080  25 99 a1 60 8f 40 a9 e5  55 8c 0f 26 ae 76 dc 5b  |%..`.@..U..&.v.[|\r\n00000090  78 35 f5 3e c1 1e bc 21  bb 30 e2 0c e3 80 1e 33  |x5.>...!.0.....3|\r\n000000a0  90 79 46 6d 23 d8 f9 a2  d7 5d ed 4d 82 2e 9a 5e  |.yFm#....].M...^|\r\n000000b0  5d b6 3c 34 37 51 4b 83  de 99 1a ea 0f 2f 7c 9b  |].<47QK......\/|.|\r\n000000c0  46 15 93 aa ba 72 ba b9  bd e1 a3 c0 45 90 b1 de  |F....r......E...|\r\n000000d0  c4 2e c8 d0 94 ec 25 69  7b af 08 34 93 12 3d 1c  |......%i{..4..=.|\r\n000000e0  fd 23 9b ba e8 d1 25 56  f4 0a                    |.#....%V..|\r\n000000ea\r\n<\/code><\/pre>\n
etcd\u952e\u5e94\u8be5\u4ee5k8s:enc:aescbc:v1:key1\u4f5c\u4e3a\u524d\u7f00\u3002<\/p>\n
\u8fd9\u8868\u793aaes-cbc\u63d0\u4f9b\u7a0b\u5e8f\u4f7f\u7528\u52a0\u5bc6\u5bc6\u94a5key1\u5bf9\u6570\u636e\u8fdb\u884c\u4e86\u52a0\u5bc6\u3002<\/p>\n
\u90e8\u7f72 – \u5728\u672c\u5730\u7b14\u8bb0\u672c\u7535\u8111\u4e0a\u8fd0\u884c<\/h2>\n
\u5728\u8fd9\u4e00\u6b65\u4e2d\uff0c\u6211\u4eec\u8981\u786e\u8ba4\u662f\u5426\u53ef\u4ee5\u521b\u5efa\u548c\u7ba1\u7406\u90e8\u7f72\u3002<\/p>\n
\u6211\u5c06\u521b\u5efa\u4e00\u4e2aNginx web\u670d\u52a1\u5668\u7684\u90e8\u7f72\u3002<\/p>\n
kubectl create deployment nginx --image=nginx\r\n<\/code><\/pre>\n
\u6211\u4eec\u5c06\u68c0\u67e5\u7531Nginx\u90e8\u7f72\u521b\u5efa\u7684Pod\u3002<\/p>\n
kubectl get pods -l app=nginx\r\n<\/code><\/pre>\n
\u53d1\u6325\u529b\u91cf<\/p>\n
NAME                     READY     STATUS    RESTARTS   AGE\r\nnginx-65899c769f-xkfcn   1\/1       Running   0          15s\r\n<\/code><\/pre>\n
\u7aef\u53e3\u8f6c\u53d1<\/h3>\n
\u5728\u8fd9\u4e2a\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u4f7f\u7528\u7aef\u53e3\u8f6c\u53d1\u6765\u786e\u8ba4\u5916\u90e8\u662f\u5426\u53ef\u4ee5\u8bbf\u95ee\u5e94\u7528\u7a0b\u5e8f\u3002<\/p>\n
\u83b7\u53d6nginx Pod\u7684\u5168\u540d\u3002<\/p>\n
POD_NAME=$(kubectl get pods -l app=nginx -o jsonpath=\"{.items[0].metadata.name}\")\r\n<\/code><\/pre>\n
\u5c06\u672c\u57308080\u7aef\u53e3\u8f6c\u53d1\u5230Nginx Pod\u768480\u7aef\u53e3\u3002<\/p>\n
kubectl port-forward $POD_NAME 8080:80\r\n<\/code><\/pre>\n
\u53d1\u529b<\/p>\n
Forwarding from 127.0.0.1:8080 -> 80\r\nForwarding from [::1]:8080 -> 80\r\n<\/code><\/pre>\n
\u6211\u4f1a\u4ece\u53e6\u4e00\u4e2a\u7ec8\u7aef\u53d1\u9001HTTP\u8bf7\u6c42\u5230\u8f6c\u53d1\u5730\u5740\u4e0a\u8fdb\u884c\u6d4b\u8bd5\u3002<\/p>\n
curl --head http:\/\/127.0.0.1:8080\r\n<\/code><\/pre>\n
\u65bd\u529b<\/p>\n
HTTP\/1.1 200 OK\r\nServer: nginx\/1.17.3\r\nDate: Sat, 14 Sep 2019 13:54:34 GMT\r\nContent-Type: text\/html\r\nContent-Length: 612\r\nLast-Modified: Tue, 13 Aug 2019 08:50:00 GMT\r\nConnection: keep-alive\r\nETag: \"5d5279b8-264\"\r\nAccept-Ranges: bytes\r\n<\/code><\/pre>\n
\u56de\u5230\u539f\u6765\u7684\u7ec8\u7aef\uff0c\u505c\u6b62\u5bf9nginx Pod\u7684\u8f6c\u53d1\u3002<\/p>\n
Forwarding from 127.0.0.1:8080 -> 80\r\nForwarding from [::1]:8080 -> 80\r\nHandling connection for 8080\r\n^C\r\n<\/code><\/pre>\n
\u65e5\u5fd7<\/h3>\n
\u5728\u8fd9\u4e00\u6b65\u4e2d\uff0c\u6211\u4eec\u5c06\u786e\u8ba4\u662f\u5426\u80fd\u591f\u83b7\u53d6\u5bb9\u5668\u7684\u65e5\u5fd7\u3002<\/p>\n
\u5c55\u793anginx Pod\u7684\u65e5\u5fd7\u3002<\/p>\n
kubectl logs $POD_NAME\r\n<\/code><\/pre>\n
\u53d1\u6325\u5b9e\u529b<\/p>\n
127.0.0.1 - - [14\/May\/2018:13:59:21 +0000] \"HEAD \/ HTTP\/1.1\" 200 0 \"-\" \"curl\/7.52.1\" \"-\"\r\n<\/code><\/pre>\n
\u6267\u884c<\/h3>\n
\u5728\u8fd9\u4e2a\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u786e\u8ba4\u662f\u5426\u80fd\u591f\u5728\u5bb9\u5668\u5185\u6267\u884c\u547d\u4ee4\u3002<\/p>\n
\u8fdb\u5165nginx\u5bb9\u5668\uff0c\u8fd0\u884cnginx -v\u547d\u4ee4\u6765\u663e\u793anginx\u7684\u7248\u672c\u3002<\/p>\n
kubectl exec -ti $POD_NAME -- nginx -v\r\n<\/code><\/pre>\n
\u65bd\u5c55\u80fd\u529b<\/p>\n
nginx version: nginx\/1.17.3\r\n<\/code><\/pre>\n
\u670d\u52a1<\/h2>\n
\u5728\u8fd9\u4e00\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u786e\u8ba4\u662f\u5426\u53ef\u4ee5\u901a\u8fc7\u4f7f\u7528Service\u6765\u53d1\u5e03\u5e94\u7528\u7a0b\u5e8f\u3002<\/p>\n
\u4f7f\u7528NodePort\u5c06nginx\u90e8\u7f72\u516c\u5f00\u3002<\/p>\n
kubectl expose deployment nginx --port 80 --type NodePort\r\n<\/code><\/pre>\n
\u7531\u4e8e\u672a\u8bbe\u7f6e\u4e91\u63d0\u4f9b\u5546\u96c6\u6210\uff0c\u65e0\u6cd5\u4f7f\u7528\u8d1f\u8f7d\u5747\u8861\u5668\u3002<\/p>\n
\u6b64\u6b65\u9aa4\u4e0d\u5305\u62ec\u4e91\u63d0\u4f9b\u5546\u96c6\u6210\u7684\u8bbe\u7f6e\u3002<\/p><\/blockquote>\n
\u83b7\u53d6\u5206\u914d\u7ed9nginx\u670d\u52a1\u7684\u8282\u70b9\u7aef\u53e3\u3002<\/p>\n
NODE_PORT=$(kubectl get svc nginx \\\r\n  --output=jsonpath='{range .spec.ports[0]}{.nodePort}')\r\n<\/code><\/pre>\n
\u8981\u8ba9\u5916\u90e8\u53ef\u4ee5\u901a\u8fc7\u9632\u706b\u5899\u89c4\u5219\u8bbf\u95ee\u5230nginx\u8282\u70b9\u7684\u7aef\u53e3\u3002<\/p>\n
aws ec2 authorize-security-group-ingress \\\r\n  --group-id ${SECURITY_GROUP_ID} \\\r\n  --protocol tcp \\\r\n  --port ${NODE_PORT} \\\r\n  --cidr 0.0.0.0\/0\r\n<\/code><\/pre>\n
\u4ece\u5de5\u4f5c\u5b9e\u4f8b\u83b7\u53d6\u5916\u90e8IP\u5730\u5740\u3002<\/p>\n
INSTANCE_NAME=$(kubectl get pod $POD_NAME --output=jsonpath='{.spec.nodeName}')\r\n<\/code><\/pre>\n
\u5982\u679c\u60a8\u6b63\u5728US-EAST-1\u5730\u533a\u542f\u52a8\u96c6\u7fa4\uff0c\u8bf7\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u3002<\/p>\n
EXTERNAL_IP=$(aws ec2 describe-instances \\\r\n    --filters \"Name=network-interface.private-dns-name,Values=${INSTANCE_NAME}.ec2.internal\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n<\/code><\/pre>\n
\u5982\u679c\u60a8\u5728US-EAST-1\u4ee5\u5916\u7684\u5730\u533a\u542f\u52a8\u4e86\u96c6\u7fa4\uff0c\u8bf7\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u3002<\/p>\n
EXTERNAL_IP=$(aws ec2 describe-instances \\\r\n    --filters \"Name=network-interface.private-dns-name,Values=${INSTANCE_NAME}.${AWS_REGION}.compute.internal\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n<\/code><\/pre>\n
\u6211\u5c06\u4f7f\u7528\u5916\u90e8IP\u5730\u5740\u548cnginx\u8282\u70b9\u7aef\u53e3\u8fdb\u884cHTTP\u8bf7\u6c42\u3002<\/p>\n
curl -I http:\/\/${EXTERNAL_IP}:${NODE_PORT}\r\n<\/code><\/pre>\n
\u53d1\u6325\u80fd\u529b<\/p>\n
HTTP\/1.1 200 OK\r\nServer: nginx\/1.17.3\r\nDate: Sat, 14 Sep 2019 13:54:34 GMT\r\nContent-Type: text\/html\r\nContent-Length: 612\r\nLast-Modified: Tue, 13 Aug 2019 08:50:00 GMT\r\nConnection: keep-alive\r\nETag: \"5d5279b8-264\"\r\nAccept-Ranges: bytes\r\n<\/code><\/pre>\n
\u4e0d\u53ef\u4fe1\u4efb\u7684\u5de5\u4f5c\u8d1f\u8f7d<\/h2>\n
\u6211\u5011\u5c07\u4f7f\u7528 gVisor \u4f86\u9a57\u8b49\u53ef\u4ee5\u904b\u884c\u4e0d\u53d7\u4fe1\u4efb\u7684\u8f09\u8377\u3002<\/p>\n
\u6211\u5c06\u521b\u5efa\u4e00\u4e2a\u672a\u53d7\u4fe1\u4efb\u7684Pod\u3002<\/p>\n
cat <<EOF | kubectl apply -f -\r\napiVersion: v1\r\nkind: Pod\r\nmetadata:\r\n  name: untrusted\r\n  annotations:\r\n    io.kubernetes.cri.untrusted-workload: \"true\"\r\nspec:\r\n  containers:\r\n    - name: webserver\r\n      image: gcr.io\/hightowerlabs\/helloworld:2.0.0\r\nEOF\r\n<\/code><\/pre>\n
\u786e\u8ba4<\/h3>\n
\u5728\u6b64\u90e8\u5206\uff0c\u6211\u4eec\u5c06\u68c0\u67e5\u5206\u914d\u7ed9\u7684\u5de5\u4f5c\u8282\u70b9\uff0c\u4ee5\u786e\u4fdd untrustedPod \u5728 gVisor(runsc) \u4e0b\u6b63\u5e38\u8fd0\u884c\u3002<\/p>\n
\u786e\u8ba4 untrustedPod \u6b63\u5728\u8fd0\u884c\u3002<\/p>\n
kubectl get pods -o wide\r\n<\/code><\/pre>\n
NAME                     READY     STATUS    RESTARTS   AGE       IP           NODE             NOMINATED NODE\r\nbusybox                  1\/1       Running   0          5m        10.200.0.2   ip-10-240-0-20   <none>\r\nnginx-64f497f8fd-l6b78   1\/1       Running   0          3m        10.200.1.2   ip-10-240-0-21   <none>\r\nuntrusted                1\/1       Running   0          8s        10.200.2.3   ip-10-240-0-22   <none>\r\n<\/code><\/pre>\n
\u83b7\u53d6\u6b63\u5728\u8fd0\u884cuntrustedPod\u7684\u8282\u70b9\u540d\u79f0\u3002<\/p>\n
INSTANCE_NAME=$(kubectl get pod untrusted --output=jsonpath='{.spec.nodeName}')\r\n<\/code><\/pre>\n
\u5982\u679c\u4f60\u73b0\u5728\u6b63\u5728US-EAST-1\u5730\u533a\u542f\u52a8\u96c6\u7fa4\uff0c\u8bf7\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u3002<\/p>\n
INSTANCE_IP=$(aws ec2 describe-instances \\\r\n    --filters \"Name=network-interface.private-dns-name,Values=${INSTANCE_NAME}.ec2.internal\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n<\/code><\/pre>\n
\u5982\u679c\u5728US-EAST-1\u4e4b\u5916\u7684\u533a\u57df\u542f\u52a8\u4e86\u96c6\u7fa4\uff0c\u8bf7\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\u3002<\/p>\n
INSTANCE_IP=$(aws ec2 describe-instances \\\r\n    --filters \"Name=network-interface.private-dns-name,Values=${INSTANCE_NAME}.${AWS_REGION}.compute.internal\" \\\r\n    --output text --query 'Reservations[].Instances[].PublicIpAddress')\r\n<\/code><\/pre>\n
\u8fde\u63a5\u5230\u5de5\u4f5c\u8282\u70b9\u7684SSH\u3002<\/p>\n
ssh -i kubernetes.id_rsa ubuntu@${INSTANCE_IP}\r\n<\/code><\/pre>\n
\u83b7\u53d6\u5728gVisor\u4e0a\u8fd0\u884c\u7684\u5bb9\u5668\u5217\u8868\u3002<\/p>\n
sudo runsc --root  \/run\/containerd\/runsc\/k8s.io list\r\n<\/code><\/pre>\n
I0514 14:03:56.108368   14988 x:0] ***************************\r\nI0514 14:03:56.108548   14988 x:0] Args: [runsc --root \/run\/containerd\/runsc\/k8s.io list]\r\nI0514 14:03:56.108730   14988 x:0] Git Revision: 08879266fef3a67fac1a77f1ea133c3ac75759dd\r\nI0514 14:03:56.108787   14988 x:0] PID: 14988\r\nI0514 14:03:56.108838   14988 x:0] UID: 0, GID: 0\r\nI0514 14:03:56.108877   14988 x:0] Configuration:\r\nI0514 14:03:56.108912   14988 x:0]              RootDir: \/run\/containerd\/runsc\/k8s.io\r\nI0514 14:03:56.109000   14988 x:0]              Platform: ptrace\r\nI0514 14:03:56.109080   14988 x:0]              FileAccess: proxy, overlay: false\r\nI0514 14:03:56.109159   14988 x:0]              Network: sandbox, logging: false\r\nI0514 14:03:56.109238   14988 x:0]              Strace: false, max size: 1024, syscalls: []\r\nI0514 14:03:56.109315   14988 x:0] ***************************\r\nID                                                                 PID         STATUS      BUNDLE                                                           CREATED                          OWNER\r\n3528c6b270c76858e15e10ede61bd1100b77519e7c9972d51b370d6a3c60adbb   14766       running     \/run\/containerd\/io.containerd.runtime.v1.linux\/k8s.io\/3528c6b270c76858e15e10ede61bd1100b77519e7c9972d51b370d6a3c60adbb   2018-05-14T14:02:34.302378996Z\r\n7ff747c919c2dcf31e64d7673340885138317c91c7c51ec6302527df680ba981   14716       running     \/run\/containerd\/io.containerd.runtime.v1.linux\/k8s.io\/7ff747c919c2dcf31e64d7673340885138317c91c7c51ec6302527df680ba981   2018-05-14T14:02:32.159552044Z\r\nI0514 14:03:56.111287   14988 x:0] Exiting with status: 0\r\n<\/code><\/pre>\n
\u83b7\u53d6untrustedPod\u7684ID\u3002<\/p>\n
POD_ID=$(sudo crictl -r unix:\/\/\/var\/run\/containerd\/containerd.sock pods --name untrusted -q)\r\n<\/code><\/pre>\n
\u83b7\u53d6\u5728untrustedPod\u4e2d\u8fd0\u884c\u7684webserver\u5bb9\u5668\u7684ID\u3002<\/p>\n
CONTAINER_ID=$(sudo crictl -r unix:\/\/\/var\/run\/containerd\/containerd.sock ps -p ${POD_ID} -q)\r\n<\/code><\/pre>\n
\u4f7f\u7528gVisor\u7684runsc\u547d\u4ee4\uff0c\u5728webserver\u5bb9\u5668\u4e2d\u663e\u793a\u6b63\u5728\u8fd0\u884c\u7684\u8fdb\u7a0b\u3002<\/p>\n
sudo runsc --root \/run\/containerd\/runsc\/k8s.io ps ${CONTAINER_ID}\r\n<\/code><\/pre>\n
\u53d1\u6325\u6f5c\u529b<\/p>\n
I0514 14:05:16.499237   15096 x:0] ***************************\r\nI0514 14:05:16.499542   15096 x:0] Args: [runsc --root \/run\/containerd\/runsc\/k8s.io ps 3528c6b270c76858e15e10ede61bd1100b77519e7c9972d51b370d6a3c60adbb]\r\nI0514 14:05:16.499597   15096 x:0] Git Revision: 08879266fef3a67fac1a77f1ea133c3ac75759dd\r\nI0514 14:05:16.499644   15096 x:0] PID: 15096\r\nI0514 14:05:16.499695   15096 x:0] UID: 0, GID: 0\r\nI0514 14:05:16.499734   15096 x:0] Configuration:\r\nI0514 14:05:16.499769   15096 x:0]              RootDir: \/run\/containerd\/runsc\/k8s.io\r\nI0514 14:05:16.499880   15096 x:0]              Platform: ptrace\r\nI0514 14:05:16.499962   15096 x:0]              FileAccess: proxy, overlay: false\r\nI0514 14:05:16.500042   15096 x:0]              Network: sandbox, logging: false\r\nI0514 14:05:16.500120   15096 x:0]              Strace: false, max size: 1024, syscalls: []\r\nI0514 14:05:16.500197   15096 x:0] ***************************\r\nUID       PID       PPID      C         STIME     TIME      CMD\r\n0         1         0         0         14:02     40ms      app\r\nI0514 14:05:16.501354   15096 x:0] Exiting with status: 0\r\n<\/code><\/pre>\n
\u4f7f\u752814-crictl\u68c0\u67e5\u5de5\u4f5c\u8282\u70b9\u7684\u955c\u50cf\u3001Pod\u548c\u5bb9\u5668\u3002<\/h1>\n
\u767b\u5f55\u5de5\u4f5c\u8282\u70b9\u5e76\u68c0\u67e5\u8d44\u6e90\u6e05\u5355\u3002
\n\u8fd9\u4e2a\u6b65\u9aa4\u53ef\u4ee5\u5728\u6240\u6709\u5df2\u542f\u52a8\u76843\u4e2a\u5de5\u4f5c\u8282\u70b9\u4e0a\u6267\u884c\u3002<\/p>\n
external_ip<\/span>=<\/span>$(<\/span>aws ec2 describe-instances \\<\/span>\r\n  --filters<\/span> \"Name=tag:Name,Values=worker-0\"<\/span> \\<\/span>\r\n  --output<\/span> text --query<\/span> 'Reservations[].Instances[].PublicIpAddress'<\/span>)<\/span>\r\n\r\nssh -i<\/span> kubernetes.id_rsa ubuntu@${<\/span>external_ip<\/span>}<\/span>\r\n<\/code><\/pre>\n
\u6267\u884c\u4ee5\u4e0b\u547d\u4ee4\uff0c\u5e76\u786e\u8ba4\u8f93\u51fa\u7ed3\u679c\u3002<\/p>\n
sudo <\/span>crictl -r<\/span> unix:\/\/\/var\/run\/containerd\/containerd.sock images\r\n<\/code><\/pre>\n
\u53d1\u5e03\u7684\u5b9e\u4f8b<\/p>\n
IMAGE                                                  TAG                 IMAGE ID            SIZE\r\ngcr.io\/google_containers\/k8s-dns-dnsmasq-nanny-amd64   1.14.7              5feec37454f45       10.9MB\r\ngcr.io\/google_containers\/k8s-dns-kube-dns-amd64        1.14.7              5d049a8c4eec9       13.1MB\r\ngcr.io\/google_containers\/k8s-dns-sidecar-amd64         1.14.7              db76ee297b859       11.2MB\r\nk8s.gcr.io\/pause                                       3.1                 da86e6ba6ca19       317kB\r\n<\/code><\/pre>\n
sudo <\/span>crictl -r<\/span> unix:\/\/\/var\/run\/containerd\/containerd.sock pods\r\n<\/code><\/pre>\n
\u53d1\u6325<\/p>\n
POD ID              CREATED             STATE               NAME                        NAMESPACE           ATTEMPT\r\n9a304a19557f7       2 hours ago         Ready               kube-dns-864b8bdc77-c5vc2   kube-system         0\r\n<\/code><\/pre>\n
sudo <\/span>crictl -r<\/span> unix:\/\/\/var\/run\/containerd\/containerd.sock ps\r\n<\/code><\/pre>\n
\u53d1\u6325\u6548\u529b<\/p>\n
CONTAINER ID        IMAGE                                                                     CREATED             STATE               NAME                ATTEMPT\r\n611bfea53997d       sha256:db76ee297b8597fc007b23a90619314b8405bb1df6dcad189df0a123a09e7ecc   2 hours ago         Running             sidecar             0\r\n824f26368efc0       sha256:5feec37454f45d060c5f528c7d0bd4958df39e7ffd2e65ae42aae68bf78f69a5   2 hours ago         Running             dnsmasq             0\r\nf3d35b783af1e       sha256:5d049a8c4eec92b21ca4be399c260166d96569a1a52d497f4a0365bb55c1a18c   2 hours ago         Running             kubedns             0\r\n<\/code><\/pre>\n
15-\u6536\u62fe\u5e72\u51c0<\/h1>\n
\u5728\u8fd9\u4e2a\u6b65\u9aa4\u4e2d\uff0c\u6211\u4eec\u5c06\u5220\u9664\u4e4b\u524d\u521b\u5efa\u7684\u8d44\u6e90\u3002<\/p>\n
\u4e91\u8ba1\u7b97\u4e2d\u7684EC2\u5b9e\u4f8b<\/h2>\n
\u5220\u9664\u63a7\u5236\u8282\u70b9\u548c\u5de5\u4f5c\u8282\u70b9\u3002<\/p>\n
aws ec2 terminate-instances \\\r\n  --instance-ids \\\r\n    $(aws ec2 describe-instances \\\r\n      --filter \"Name=tag:Name,Values=controller-0,controller-1,controller-2,worker-0,worker-1,worker-2\" \\\r\n      --output text --query 'Reservations[].Instances[].InstanceId')\r\naws ec2 delete-key-pair --key-name kubernetes\r\n<\/code><\/pre>\n
\u7f51\u7edc\u8fde\u63a5<\/h2>\n
\u5220\u9664\u5916\u90e8\u8d1f\u8f7d\u5747\u8861\u5668\u3001VPC\u7b49\u7f51\u7edc\u8d44\u6e90\u3002<\/p>\n
aws elbv2 delete-load-balancer --load-balancer-arn \"${LOAD_BALANCER_ARN}\"\r\naws elbv2 delete-target-group --target-group-arn \"${TARGET_GROUP_ARN}\"\r\naws ec2 delete-security-group --group-id \"${SECURITY_GROUP_ID}\"\r\nROUTE_TABLE_ASSOCIATION_ID=\"$(aws ec2 describe-route-tables \\\r\n  --route-table-ids \"${ROUTE_TABLE_ID}\" \\\r\n  --output text --query 'RouteTables[].Associations[].RouteTableAssociationId')\"\r\naws ec2 disassociate-route-table --association-id \"${ROUTE_TABLE_ASSOCIATION_ID}\"\r\n\r\naws ec2 delete-route-table --route-table-id \"${ROUTE_TABLE_ID}\"\r\naws ec2 detach-internet-gateway \\\r\n  --internet-gateway-id \"${INTERNET_GATEWAY_ID}\" \\\r\n  --vpc-id \"${VPC_ID}\"\r\naws ec2 delete-internet-gateway --internet-gateway-id \"${INTERNET_GATEWAY_ID}\"\r\naws ec2 delete-subnet --subnet-id \"${SUBNET_ID}\"\r\naws ec2 delete-vpc --vpc-id \"${VPC_ID}\"\r\n\r\n<\/code><\/pre>\n
\u8f9b\u82e6\u4e86\uff01\u5c31\u4ee5\u8fd9\u6837\u5b8c\u6210\u4e86kubernetes the hard way\u7684\u5b66\u4e60\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
\u4f60\u662f\u5426\u4e86\u89e3”kubernetes the hard way”\uff1f \u8fd9\u662f\u4e00\u4e2a\u901a\u8fc7\u624b\u52a8\u6784\u5efak […]<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-35840","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"\n\u6211\u5728AWS\u4e0a\u5c1d\u8bd5\u4e86\u201c\u4ee5\u6700\u56f0\u96be\u7684\u65b9\u5f0f\u90e8\u7f72Kubernetes\u201d\uff08\u9644\u5168\u6587\u7ffb\u8bd1\uff09 - Blog - Silicon Cloud<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.silicloud.com\/zh\/blog\/\u6211\u5728aws\u4e0a\u5c1d\u8bd5\u4e86\u4ee5\u6700\u56f0\u96be\u7684\u65b9\u5f0f\u90e8\u7f72kubernetes\uff08\u9644\u5168\/\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u6211\u5728AWS\u4e0a\u5c1d\u8bd5\u4e86\u201c\u4ee5\u6700\u56f0\u96be\u7684\u65b9\u5f0f\u90e8\u7f72Kubernetes\u201d\uff08\u9644\u5168\u6587\u7ffb\u8bd1\uff09\" \/>\n<meta property=\"og:description\" content=\"\u4f60\u662f\u5426\u4e86\u89e3”kubernetes the hard way”\uff1f \u8fd9\u662f\u4e00\u4e2a\u901a\u8fc7\u624b\u52a8\u6784\u5efak […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.silicloud.com\/zh\/blog\/\u6211\u5728aws\u4e0a\u5c1d\u8bd5\u4e86\u4ee5\u6700\u56f0\u96be\u7684\u65b9\u5f0f\u90e8\u7f72kubernetes\uff08\u9644\u5168\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog - Silicon Cloud\" \/>\n<meta property=\"article:published_time\" content=\"2023-06-22T05:14:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-29T03:12:57+00:00\" \/>\n<meta name=\"author\" content=\"\u6e05, \u626c\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"\u6e05, \u626c\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"28 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/\",\"url\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/\",\"name\":\"\u6211\u5728AWS\u4e0a\u5c1d\u8bd5\u4e86\u201c\u4ee5\u6700\u56f0\u96be\u7684\u65b9\u5f0f\u90e8\u7f72Kubernetes\u201d\uff08\u9644\u5168\u6587\u7ffb\u8bd1\uff09 - Blog - Silicon Cloud\",\"isPartOf\":{\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#website\"},\"datePublished\":\"2023-06-22T05:14:11+00:00\",\"dateModified\":\"2024-04-29T03:12:57+00:00\",\"author\":{\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/cb5556d2501da73d864cac945e8d9461\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9875\",\"item\":\"https:\/\/www.silicloud.com\/zh\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\u6211\u5728AWS\u4e0a\u5c1d\u8bd5\u4e86\u201c\u4ee5\u6700\u56f0\u96be\u7684\u65b9\u5f0f\u90e8\u7f72Kubernetes\u201d\uff08\u9644\u5168\u6587\u7ffb\u8bd1\uff09\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#website\",\"url\":\"https:\/\/www.silicloud.com\/zh\/blog\/\",\"name\":\"Blog - Silicon Cloud\",\"description\":\"\",\"inLanguage\":\"zh-Hans\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/cb5556d2501da73d864cac945e8d9461\",\"name\":\"\u6e05, \u626c\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/32a4239de8ff29adace466261d309424a1e5fe9f7e3036bf89fe03f2e3dbe717?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/32a4239de8ff29adace466261d309424a1e5fe9f7e3036bf89fe03f2e3dbe717?s=96&d=mm&r=g\",\"caption\":\"\u6e05, \u626c\"},\"url\":\"https:\/\/www.silicloud.com\/zh\/blog\/author\/qingyang\/\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/#local-main-organization-logo\",\"url\":\"\",\"contentUrl\":\"\",\"caption\":\"Blog - Silicon Cloud\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"\u6211\u5728AWS\u4e0a\u5c1d\u8bd5\u4e86\u201c\u4ee5\u6700\u56f0\u96be\u7684\u65b9\u5f0f\u90e8\u7f72Kubernetes\u201d\uff08\u9644\u5168\u6587\u7ffb\u8bd1\uff09 - Blog - Silicon Cloud","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.silicloud.com\/zh\/blog\/\u6211\u5728aws\u4e0a\u5c1d\u8bd5\u4e86\u4ee5\u6700\u56f0\u96be\u7684\u65b9\u5f0f\u90e8\u7f72kubernetes\uff08\u9644\u5168\/","og_locale":"zh_CN","og_type":"article","og_title":"\u6211\u5728AWS\u4e0a\u5c1d\u8bd5\u4e86\u201c\u4ee5\u6700\u56f0\u96be\u7684\u65b9\u5f0f\u90e8\u7f72Kubernetes\u201d\uff08\u9644\u5168\u6587\u7ffb\u8bd1\uff09","og_description":"\u4f60\u662f\u5426\u4e86\u89e3”kubernetes the hard way”\uff1f \u8fd9\u662f\u4e00\u4e2a\u901a\u8fc7\u624b\u52a8\u6784\u5efak […]","og_url":"https:\/\/www.silicloud.com\/zh\/blog\/\u6211\u5728aws\u4e0a\u5c1d\u8bd5\u4e86\u4ee5\u6700\u56f0\u96be\u7684\u65b9\u5f0f\u90e8\u7f72kubernetes\uff08\u9644\u5168\/","og_site_name":"Blog - Silicon Cloud","article_published_time":"2023-06-22T05:14:11+00:00","article_modified_time":"2024-04-29T03:12:57+00:00","author":"\u6e05, \u626c","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"\u6e05, \u626c","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"28 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/","url":"https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/","name":"\u6211\u5728AWS\u4e0a\u5c1d\u8bd5\u4e86\u201c\u4ee5\u6700\u56f0\u96be\u7684\u65b9\u5f0f\u90e8\u7f72Kubernetes\u201d\uff08\u9644\u5168\u6587\u7ffb\u8bd1\uff09 - Blog - Silicon Cloud","isPartOf":{"@id":"https:\/\/www.silicloud.com\/zh\/blog\/#website"},"datePublished":"2023-06-22T05:14:11+00:00","dateModified":"2024-04-29T03:12:57+00:00","author":{"@id":"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/cb5556d2501da73d864cac945e8d9461"},"breadcrumb":{"@id":"https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"https:\/\/www.silicloud.com\/zh\/blog\/"},{"@type":"ListItem","position":2,"name":"\u6211\u5728AWS\u4e0a\u5c1d\u8bd5\u4e86\u201c\u4ee5\u6700\u56f0\u96be\u7684\u65b9\u5f0f\u90e8\u7f72Kubernetes\u201d\uff08\u9644\u5168\u6587\u7ffb\u8bd1\uff09"}]},{"@type":"WebSite","@id":"https:\/\/www.silicloud.com\/zh\/blog\/#website","url":"https:\/\/www.silicloud.com\/zh\/blog\/","name":"Blog - Silicon Cloud","description":"","inLanguage":"zh-Hans"},{"@type":"Person","@id":"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/cb5556d2501da73d864cac945e8d9461","name":"\u6e05, \u626c","image":{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/www.silicloud.com\/zh\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/32a4239de8ff29adace466261d309424a1e5fe9f7e3036bf89fe03f2e3dbe717?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/32a4239de8ff29adace466261d309424a1e5fe9f7e3036bf89fe03f2e3dbe717?s=96&d=mm&r=g","caption":"\u6e05, \u626c"},"url":"https:\/\/www.silicloud.com\/zh\/blog\/author\/qingyang\/"},{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/www.silicloud.com\/zh\/blog\/%e6%88%91%e5%9c%a8aws%e4%b8%8a%e5%b0%9d%e8%af%95%e4%ba%86%e4%bb%a5%e6%9c%80%e5%9b%b0%e9%9a%be%e7%9a%84%e6%96%b9%e5%bc%8f%e9%83%a8%e7%bd%b2kubernetes%ef%bc%88%e9%99%84%e5%85%a8\/#local-main-organization-logo","url":"","contentUrl":"","caption":"Blog - Silicon Cloud"}]}},"_links":{"self":[{"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/posts\/35840","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/comments?post=35840"}],"version-history":[{"count":2,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/posts\/35840\/revisions"}],"predecessor-version":[{"id":84931,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/posts\/35840\/revisions\/84931"}],"wp:attachment":[{"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/media?parent=35840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/categories?post=35840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.silicloud.com\/zh\/blog\/wp-json\/wp\/v2\/tags?post=35840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}