安装Flannel

[root@hdss7-21 ~]# cd /opt/src/

[root@hdss7-21 src]# wget https://github.com/coreos/flannel/releases/download/v0.11.0/flannel-v0.11.0-linux-amd64.tar.gz

[root@hdss7-21 src]# mkdir /opt/release/flannel-v0.11.0 # 因为flannel压缩包内部没有套目录

[root@hdss7-21 src]# tar -xf flannel-v0.11.0-linux-amd64.tar.gz -C /opt/release/flannel-v0.11.0

[root@hdss7-21 src]# ln -s /opt/release/flannel-v0.11.0 /opt/apps/flannel

[root@hdss7-21 src]# ll /opt/apps/flannel

lrwxrwxrwx 1 root root 28 Jan 9 22:33 /opt/apps/flannel -> /opt/release/flannel-v0.11.0

拷贝证书

# flannel 需要以客户端的身份访问etcd,需要相关证书

[root@hdss7-21 src]# mkdir /opt/apps/flannel/certs

[root@hdss7-200 ~]# cd /opt/certs/

[root@hdss7-200 certs]# scp ca.pem client-key.pem client.pem hdss7-21:/opt/apps/flannel/certs/

创建启动脚本

[root@hdss7-21 src]# vim /opt/apps/flannel/subnet.env # 创建子网信息,7-22的subnet需要修改

FLANNEL_NETWORK=172.7.0.0/16

FLANNEL_SUBNET=172.7.21.1/24

FLANNEL_MTU=1500

FLANNEL_IPMASQ=false

[root@hdss7-21 src]# /opt/apps/etcd/etcdctl set /coreos.com/network/config '{"Network": "172.7.0.0/16", "Backend": {"Type": "host-gw"}}'

[root@hdss7-21 src]# /opt/apps/etcd/etcdctl get /coreos.com/network/config # 只需要在一台etcd机器上设置就可以了

{"Network": "172.7.0.0/16", "Backend": {"Type": "host-gw"}}

# public-ip 为本机IP,iface 为当前宿主机对外网卡

[root@hdss7-21 src]# vim /opt/apps/flannel/flannel-startup.sh

#!/bin/sh

WORK_DIR=$(dirname $(readlink -f $0))

[ $? -eq 0 ] && cd $WORK_DIR || exit

/opt/apps/flannel/flanneld \

--public-ip=10.4.7.21 \

--etcd-endpoints=https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \

--etcd-keyfile=./certs/client-key.pem \

--etcd-certfile=./certs/client.pem \

--etcd-cafile=./certs/ca.pem \

--iface=ens32 \

--subnet-file=./subnet.env \

--healthz-port=2401

[root@hdss7-21 src]# chmod u+x /opt/apps/flannel/flannel-startup.sh

[root@hdss7-21 src]# vim /etc/supervisord.d/flannel.ini

[program:flanneld-7-21]

command=/opt/apps/flannel/flannel-startup.sh ; the program (relative uses PATH, can take args)

numprocs=1 ; number of processes copies to start (def 1)

directory=/opt/apps/flannel ; directory to cwd to before exec (def no cwd)

autostart=true ; start at supervisord start (default: true)

autorestart=true ; retstart at unexpected quit (default: true)

startsecs=30 ; number of secs prog must stay running (def. 1)

startretries=3 ; max # of serial start failures (default 3)

exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)

stopsignal=QUIT ; signal used to kill process (default TERM)

stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)

user=root ; setuid to this UNIX account to run the program

redirect_stderr=true ; redirect proc stderr to stdout (default false)

stdout_logfile=/data/logs/flanneld/flanneld.stdout.log ; stderr log path, NONE for none; default AUTO

stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)

stdout_logfile_backups=5 ; # of stdout logfile backups (default 10)

stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)

stdout_events_enabled=false ; emit events on stdout writes (default false)

[root@hdss7-21 src]# mkdir -p /data/logs/flanneld/

[root@hdss7-21 src]# supervisorctl update

flanneld-7-21: added process group

[root@hdss7-21 src]# supervisorctl status

etcd-server-7-21 RUNNING pid 1058, uptime -1 day, 16:33:25

flanneld-7-21 RUNNING pid 13154, uptime 0:00:30

kube-apiserver-7-21 RUNNING pid 1061, uptime -1 day, 16:33:25

kube-controller-manager-7-21 RUNNING pid 1068, uptime -1 day, 16:33:25

kube-kubelet-7-21 RUNNING pid 1052, uptime -1 day, 16:33:25

kube-proxy-7-21 RUNNING pid 1082, uptime -1 day, 16:33:25

kube-scheduler-7-21 RUNNING pid 1089, uptime -1 day, 16:33:25

验证跨网络访问

[root@hdss7-21 src]# kubectl get pods -o wide

NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES

nginx-ds-7db29 1/1 Running 1 2d 172.7.22.2 hdss7-22.host.com <none> <none>

nginx-ds-vvsz7 1/1 Running 1 2d 172.7.21.2 hdss7-21.host.com <none> <none>

[root@hdss7-21 src]# curl -I 172.7.22.2

HTTP/1.1 200 OK

Server: nginx/1.17.6

Date: Thu, 09 Jan 2020 14:55:21 GMT

Content-Type: text/html

Content-Length: 612

Last-Modified: Tue, 19 Nov 2019 12:50:08 GMT

Connection: keep-alive

ETag: "5dd3e500-264"

Accept-Ranges: bytes

解决pod间IP透传问题

# 从pod a跨宿主机访问pod b时,在pod b中能看到的地址为 pod a 宿主机地址

[root@nginx-ds-jdp7q /]# tail -f /usr/local/nginx/logs/access.log

10.4.7.22 - - [13/Jan/2020:13:13:39 +0000] "GET / HTTP/1.1" 200 12 "-" "curl/7.29.0"

10.4.7.22 - - [13/Jan/2020:13:14:27 +0000] "GET / HTTP/1.1" 200 12 "-" "curl/7.29.0"

10.4.7.22 - - [13/Jan/2020:13:54:20 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.29.0"

10.4.7.22 - - [13/Jan/2020:13:54:25 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.29.0"

[root@hdss7-21 ~]# iptables-save |grep POSTROUTING|grep docker # 引发问题的规则

-A POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE

[root@hdss7-21 ~]# yum install -y iptables-services

[root@hdss7-21 ~]# systemctl start iptables.service ; systemctl enable iptables.service

# 需要处理的规则:

[root@hdss7-21 ~]# iptables-save |grep POSTROUTING|grep docker

-A POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE

[root@hdss7-21 ~]# iptables-save | grep -i reject

-A INPUT -j REJECT --reject-with icmp-host-prohibited

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

# 处理方式:

[root@hdss7-21 ~]# iptables -t nat -D POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE

[root@hdss7-21 ~]# iptables -t nat -I POSTROUTING -s 172.7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j MASQUERADE

[root@hdss7-21 ~]# iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited

[root@hdss7-21 ~]# iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited

[root@hdss7-21 ~]# iptables-save > /etc/sysconfig/iptables

# 此时跨宿主机访问pod时,显示pod的IP

[root@nginx-ds-jdp7q /]# tail -f /usr/local/nginx/logs/access.log

172.7.22.2 - - [13/Jan/2020:14:15:39 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.29.0"

172.7.22.2 - - [13/Jan/2020:14:15:47 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.29.0"

172.7.22.2 - - [13/Jan/2020:14:15:48 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.29.0"

172.7.22.2 - - [13/Jan/2020:14:15:48 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.29.0"

k8s二进制部署 - flannel安装的更多相关文章

  1. k8s二进制部署 - dashboard安装

    配置资源清单rbac.yaml apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard ...

  2. k8s二进制部署 - traefik安装

    配置traefik资源清单rbac.yaml 配置traefik资源清单 rbac.yaml apiVersion: v1 kind: ServiceAccount metadata: name: t ...

  3. k8s二进制部署 - coredns安装

    coredns的资源清单文件rabc.yaml apiVersion: v1 kind: ServiceAccount metadata: name: coredns namespace: kube- ...

  4. k8s二进制部署 - harbor安装

    harbor安装 # 目录说明: # /opt/src : 源码.文件下载目录 # /opt/release : 各个版本软件存放位置 # /opt/apps : 各个软件当前版本的软链接 [root ...

  5. K8s二进制部署单节点 etcd集群,flannel网络配置 ——锥刺股

    K8s 二进制部署单节点 master    --锥刺股 k8s集群搭建: etcd集群 flannel网络插件 搭建master组件 搭建node组件 1.部署etcd集群 2.Flannel 网络 ...

  6. k8s二进制部署

    k8s二进制部署 1.环境准备 主机名 ip地址 角色 k8s-master01 10.0.0.10 master k8s-master02 10.0.0.11 master k8s-node01 1 ...

  7. K8s二进制部署单节点 master组件 node组件 ——头悬梁

    K8s二进制部署单节点   master组件 node组件   --头悬梁 1.master组件部署 2.node   组件部署 k8s集群搭建: etcd集群 flannel网络插件 搭建maste ...

  8. 007.Kubernetes二进制部署Flannel

    一 部署flannel 1.1 安装flannel kubernetes 要求集群内各节点(包括 master 节点)能通过 Pod 网段互联互通.flannel 使用 vxlan 技术为各节点创建一 ...

  9. k8s 二进制部署详解

    环境说明: 192.168.1.101 -- master01 + etcd01 192.168.1.102 -- etcd02 192.168.1.103 -- etcd03 192.168.1.1 ...

随机推荐

  1. ctfhub技能树—信息泄露—git泄露—index

    打开靶机 查看页面信息 使用dirsearch进行扫描 使用githack工具处理git泄露情况 使用git log命令查看历史记录 与 add flag 9b5b58-- 这次提交进行比对 即可拿到 ...

  2. SAP RFC的相关的术语说明

    工作比较忙,很少有时间写点文章,抽空写点吧,给需要的人看看,虽然徒弟很多了,不过还是不要固步自封,在这里也指导更多的人进步吧. RFC(Remote Function Call)是SAP系统和其他(S ...

  3. 【转】Js中的window.parent ,window.top,window.self 详解

    [转自]http://blog.csdn.net/zdwzzu2006/article/details/6047632 在应用有frameset或者iframe的页面时,parent是父窗口,top是 ...

  4. 1.5V升压3V集成电路升压芯片

    干电池1.5V升压3V的升压芯片,适用于干电池升压产品输出3V供电 1.5V输入时,输出3V,电流可达500MA. PW5100是一款效率大.10uA低功耗 PW5100输入电压:0.7V-5V PW ...

  5. LTH7锂电池充放电IC完整方案

    内容目录: A,LTH7贴片5脚充电芯片    PW4054 1, 单节的锂电池保护电路     单节为3.7V锂电池(也叫4.2V)和3.8V锂电池(也叫4.35V) 2, 单节的锂电池充电电路   ...

  6. 三节锂电池充电管理芯片,IC电路图如何设计

    关于三节锂电池供电的产品,在三节锂电池上,需要三个电路系统: 1,三节锂电池保护电路, 2,三节锂电池充电电路, 3,三节锂电池输出电路. 1.三节锂电池保护电路,芯片电路图 控制三节锂电池池的充电电 ...

  7. 从零开始学spring源码之xml解析(二):默认标签和自定义标签解析

    默认标签: 上一篇说到spring的默认标签和自定义标签,发现这里面东西还蛮多的.决定还是拆开来写.今天就来好好聊聊这两块是怎么玩的,首先我们先看看默认标签: private void parseDe ...

  8. cookie加密 当浏览器全面禁用三方 Cookie

    cookie加密    cookie  localstorage    区别 https://mp.weixin.qq.com/s/vHeRStcCUarwqsY7Y1rpGg 当浏览器全面禁用三方 ...

  9. The router relies on a tree structure which makes heavy use of common prefixes, it is basically a compact prefix tree (or just Radix tree).

    https://github.com/julienschmidt/httprouter/

  10. 一套高可用、易伸缩、高并发的IM群聊、单聊架构方案设计实践

    一套高可用.易伸缩.高并发的IM群聊.单聊架构方案设计实践 一套高可用.易伸缩.高并发的IM群聊.单聊架构方案设计实践-IM开发/专项技术区 - 即时通讯开发者社区! http://www.52im. ...