Kubernetes集群部署

K8S

---Author：张思明 ZhangSiming

---Mail：1151004164@cnu.edu.cn

---QQ：1030728296

如果有梦想，就放开的去追；
因为只有奋斗，才能改变命运。

一、官方提供的三种部署方式

• minikube

Minikube是一个工具，可以在本地快速运行一个单点的Kubernetes，仅用于尝试Kubernetes或日常开发的用户使用。
部署地址：https://kubernetes.io/docs/setup/minikube/

• kubeadm

Kubeadm也是一个工具，提供kubeadm init和kubeadm join，用于快速部署Kubernetes集群。
部署地址：https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm/
缺点：
1.还在测试中；
2.主控节点与Node节点有一个连接超时时间，超过这个时间就连接不上了(1年)；
3.所有内部组件都被部署好了，难以得到K8S的学习。

• 二进制包

推荐，从官方下载发行版的二进制包，手动部署每个组件，组成Kubernetes集群。
下载地址：https://github.com/kubernetes/kubernetes/releases

二、Kubernetes平台环境规划

2.1实验环境配置

2.2实验架构图

三、自签SSL证书

3.1什么是SSL证书

SSL证书（SSL Certificates）是HTTP明文协议升级HTTPS加密协议必备的数字证书。它在客户端（浏览器）与服务端（网站服务器）之间搭建一条安全的加密通道，对两者之间交换的信息进行加密，确保传输数据不被泄露或篡改。
HTTP------>HTTPS

什么是自签的SSL证书？

注：自签的SSL证书顾名思义就是不是受到受信任的机构颁发的SSL证书，自己签发的证书。这种证书随意签发，不受监督也不会受任何浏览器以及操作系统信任。

3.2K8S集群使用自签证书表

注：ca是证书发布机构

3.3生成Etcd的自签SSL证书，增强安全性

3.3.1获取自签cfssl证书生成工具

[root@ZhangSiming ~]# mkdir K8S
[root@ZhangSiming ~]# cd K8S
#在K8SMaster01上生成需要的证书
[root@ZhangSiming K8S]# ls K8S/
cfssl.sh  Etcd-cert.sh
#cfssl.sh是下载证书生成工具的脚本；Etcd-cert.sh是利用cfssl工具生成相应证书的脚本
[root@ZhangSiming K8S]# cat cfssl.sh 
#!/bin/bash
#designed by Zhangsiming
curl -L https:/\/pkg.cfssl.org/R1.2/cfssl_linux-amd64 -o /usr/local/bin/cfssl
curl -L https:/\/pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -o /usr/local/bin/cfssljson
#使cfssl支持json语言的工具包
curl -L https:/\/pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -o /usr/local/bin/cfssl-certinfo
#查看cfssl信息包
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson /usr/local/bin/cfssl-certinfo
#执行脚本获取工具
[root@ZhangSiming K8S]# bash cfssl.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  9.8M  100  9.8M    0     0  1215k      0  0:00:08  0:00:08 --:--:-- 1933k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 2224k  100 2224k    0     0   635k      0  0:00:03  0:00:03 --:--:--  635k
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 6440k  100 6440k    0     0   959k      0  0:00:06  0:00:06 --:--:-- 1379k
[root@ZhangSiming K8S]# ls /usr/local/bin/  | grep cfssl
cfssl
cfssl-certinfo
cfssljson
#获取成功

3.3.2给Etcd生成证书

###生成脚本
[root@ZhangSiming K8S]# cat Etcd-cert.sh 
#!/bin/bash
#Designed by Zhangsiming
cat > ca-config.json << EOF
{
   "signing": {
     "default": {
       "expiry": "87600h"      #过期时间
     },
     "profiles": {
       "www": {
      "expiry": "87600h",
          "usages": [
         "signing",
             "key encipherment",
         "server auth",
         "client auth"
     ]
       }
     }
   }
 }
EOF
cat > ca-csr.json << EOF
{
   "CN":  "etcd CA",
   "key": {
       "algo": "rsa",      #加密算法
       "size": 2048
     },
     "names": [
         {
         "C": "CN",
         "L": "Beijing",
         "ST": "Beijing"
         }
     ]
 }
EOF
#生成根证书的文件
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#生成根证书
cat > server-csr.json << EOF
{
   "CN":  "etcd",
   "hosts": [
   "192.168.17.130",
   "192.168.17.131",
   "192.168.17.132"      #这三个IP要是Etcd节点的的三个IP
   ],
   "key": {
       "algo": "rsa",
       "size": 2048
     },
     "names": [
         {
             "C": "CN",
             "L": "Beijing",
             "ST": "Beijing"
         }
     ]
 }
EOF
#利用根证书颁发子证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
#生成所有Etcd需要的证书
#执行脚本
[root@ZhangSiming K8S]# mkdir cert
[root@ZhangSiming K8S]# ls
cert  cfssl.sh  Etcd-cert.sh
[root@ZhangSiming K8S]# cd cert/
[root@ZhangSiming cert]# sh ~/K8S/Etcd-cert.sh 
2019/01/30 16:36:15 [INFO] generating a new CA key and certificate from CSR
2019/01/30 16:36:15 [INFO] generate received request
2019/01/30 16:36:15 [INFO] received CSR
2019/01/30 16:36:15 [INFO] generating key: rsa-2048
2019/01/30 16:36:16 [INFO] encoded CSR
2019/01/30 16:36:16 [INFO] signed certificate with serial number 278108394651810943628140075243673420492920215858
2019/01/30 16:36:16 [INFO] generate received request
2019/01/30 16:36:16 [INFO] received CSR
2019/01/30 16:36:16 [INFO] generating key: rsa-2048
2019/01/30 16:36:16 [INFO] encoded CSR
2019/01/30 16:36:16 [INFO] signed certificate with serial number 61614068451067277863698620865442956258180155064
2019/01/30 16:36:16 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@ZhangSiming cert]# ls
ca-config.json  ca-csr.json  ca.pem      server-csr.json  server.pem
ca.csr          ca-key.pem   server.csr  server-key.pem
#Etcd需要的三个证书，ca.pem、server-key.pem、server.pem已经全部生成好

四、Etcd数据库Cluster集群部署

4.1下载Etcd的二进制安装包(从GitHub上)

Etcd二进制包下载地址
https://github.com/etcd-io/etcd/releases

注：下载3.3.11版本的，3.3.10版本systemctl自启动服务启动时候会出错......

拷贝下载链接：https://github.com/etcd-io/etcd/releases/download/v3.3.11/etcd-v3.3.11-linux-amd64.tar.gz

[root@ZhangSiming cert]# cat /etc/redhat-release 
CentOS Linux release 7.5.1804 (Core) 
[root@ZhangSiming cert]# uname -r
3.10.0-862.el7.x86_64
[root@ZhangSiming cert]# systemctl stop firewalld
[root@ZhangSiming cert]# systemctl disable firewalld
[root@ZhangSiming cert]# getenforce 0
Disabled
#下载Etcd包
[root@ZhangSiming K8S]# ls
cert  cfssl.sh  Etcd-cert.sh
[root@ZhangSiming K8S]# which wget 
/usr/bin/wget
[root@ZhangSiming K8S]# wget https:/\/github.com/etcd-io/etcd/releases/download/v3.3.11/etcd-v3.3.11-linux-amd64.tar.gz
[root@ZhangSiming K8S]# ls
cert  cfssl.sh  Etcd-cert.sh  etcd-v3.3.11-linux-arm64.tar.gz
#下载成功

4.2编写一键生成Etcd配置文件及服务自启动systemctl配置文件的脚本

[root@ZhangSiming etcd-v3.3.10-linux-arm64]# cat ~/K8S/Deploy/etcd.sh
#!/bin/bash
#Designed by Zhangsiming
# example: ./etcd.sh etcd01 192.168.17.130 etcd02=https://192.168.17.131:2380,etcd03=https://192.168.17.132:2380
#传入参数范例
ETCD_NAME=$1
ETCD_IP=$2
ETCD_CLUSTER=$3
WORK_DIR=/opt/etcd
#脚本传入的参数及自定义全局变量
cat  > $WORK_DIR/cfg/etcd << EOF
#生成etcd的配置文件
#[Member]
ETCD_NAME="${ETCD_NAME}"
#Etcd数据库名称
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
#数据目录
ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380"
#Etcd-cluster集群通信连接端口2380
ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379"
#Etcd对外访问开放端口2379
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380"
#本地Etcd的IP:端口
ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379"
#本地Etcd对外访问端口
ETCD_INITIAL_CLUSTER="etcd01=https://${ETCD_IP}:2380,${ETCD_CLUSTER}"
#Etcd集群IP及端口
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
#集群认证，这个随意指定，需要所以cluster一致
ETCD_INITIAL_CLUSTER_STATE="new"
#new代表新创建的Etcd-cluster
EOF
cat  >/usr/lib/systemd/system/etcd.service <<EOF
#生成CentOS7的systemctl服务配置文件
[Unit]
Description=Etcd Server
#服务描述
After=network.target
After=network-online.target
Wants=network-online.target
#服务依赖条件，启动网络之后启动等...
[Service]
Type=notify
#notify模式，即指启动守护进程之后，进行后续监听操作(找cluster节点)
EnvironmentFile=${WORK_DIR}/cfg/etcd
#使用的Etcd配置文件
ExecStart=${WORK_DIR}/bin/etcd \
--name=\${ETCD_NAME} \
--data-dir=\${ETCD_DATA_DIR} \
--listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \
--listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \
--advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \
--initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \
--initial-cluster=\${ETCD_INITIAL_CLUSTER} \
--initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \
--initial-cluster-state=new \
--cert-file=${WORK_DIR}/ssl/server.pem \
--key-file=${WORK_DIR}/ssl/server-key.pem \
--peer-cert-file=${WORK_DIR}/ssl/server.pem \
--peer-key-file=${WORK_DIR}/ssl/server-key.pem \
--trusted-ca-file=${WORK_DIR}/ssl/ca.pem \
--peer-trusted-ca-file=${WORK_DIR}/ssl/ca.pem
#这个是启动Etcd守护进程的命令，其中附带使用的自签证书
Restart=on-failure
#出错时重启
LimitNOFILE=65536
#单个进程文件描述符65535
[Install]
WantedBy=multi-user.target
#一般这里都是multi-user即多用户服务
EOF
systemctl daemon-reload      #这句使编写的Etcd服务生效
systemctl enable etcd      #开机自启动Etcd服务(系统服务)
systemctl restart etcd      #重启Etcd服务

4.3配置部署Etcd节点

#拷贝文件到指定的/opt/etcd目录下
[root@ZhangSiming etcd-v3.3.10-linux-arm64]# tree /opt/etcd
/opt/etcd
├── bin
│   ├── etcd
│   └── etcdctl      #解压二进制包把其中的etcd、etcdctl拷贝到bin目录下
├── cfg      #执行脚本生成的etcd配置文件会在这个目录下
└── ssl
    ├── ca-config.json
    ├── ca.csr
    ├── ca-csr.json
    ├── ca-key.pem
    ├── ca.pem
    ├── server.csr
    ├── server-csr.json
    ├── server-key.pem
    └── server.pem      #把自签ca证书拷贝到ssl目录下
3 directories, 12 files
#执行脚本
[root@ZhangSiming K8S]# ~/K8S/Deploy/etcd.sh etcd01 192.168.17.130 etcd02=https://192.168.17.131:2380,etcd03=https://192.168.17.132:2380
[root@ZhangSiming etcd-v3.3.11-linux-amd64]# systemctl start etcd
Job for etcd.service failed because a timeout was exceeded. See "systemctl status etcd.service" and "journalctl -xe" for details.
#这里会等待很长时间，因为没有配置cluster中的其他两台Etcd节点，所以最后会失败，没有关系，我们接下来就配置

4.4配置部署Etcd-cluster集群

[root@ZhangSiming etcd-v3.3.11-linux-amd64]# scp -r /opt/etcd/ root@192.168.17.131:/opt
#把/opt/etcd目录下所有文件拷贝到其他etcd节点的对应位置
The authenticity of host '192.168.17.131 (192.168.17.131)' can't be established.
ECDSA key fingerprint is SHA256:hcae7bE6sNTeEGHgZaykEfqSiPQCoW2dJBwSZ8DqUTA.
ECDSA key fingerprint is MD5:4e:30:92:c6:66:00:48:d5:69:1a:10:1f:16:ef:2e:de.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.17.131' (ECDSA) to the list of known hosts.
root@192.168.17.131's password: 
etcd                                          100%   18MB  18.3MB/s   00:01    
etcdctl                                       100%   15MB  29.3MB/s   00:00    
etcd                                          100%  516   636.4KB/s   00:00    
ca-config.json                                100%  269   335.0KB/s   00:00    
ca.csr                                        100%  956     1.5MB/s   00:00    
ca-csr.json                                   100%  194   339.2KB/s   00:00    
ca-key.pem                                    100% 1679     1.8MB/s   00:00    
ca.pem                                        100% 1265     2.0MB/s   00:00    
server.csr                                    100% 1013    72.9KB/s   00:00    
server-csr.json                               100%  294   237.4KB/s   00:00    
server-key.pem                                100% 1679     1.5MB/s   00:00    
server.pem                                    100% 1338     1.5MB/s   00:00   
#拷贝自启动systemctl文件到其他Etcd节点
[root@ZhangSiming etcd-v3.3.11-linux-amd64]# scp /usr/lib/systemd/system/etcd.service root@192.168.17.131:/usr/lib/systemd/system/etcd.service
root@192.168.17.131's password:
etcd.service                                  100%  923    27.3KB/s   00:00 

启动Etcd-cluster集群

#在三个Etcd节点都启动etcd服务
[root@ZhangSiming etcd]# systemctl start etcd
[root@ZhangSiming etcd]# 
[root@ZhangSiming ssl]# pwd
/opt/etcd/ssl
[root@ZhangSiming ssl]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.17.130:2379,https://192.168.17.131:2379,https://192.168.17.132:2379" cluster-health
#访问Etcd的三个节点的2379端口，进行Etcd的健康检测
member 3a6f8c78a708ea9 is healthy: got healthy result from https://192.168.17.132:2379
member 5658b2b12e105fd0 is healthy: got healthy result from https://192.168.17.131:2379
member 9d10fc7919c17197 is healthy: got healthy result from https://192.168.17.130:2379
cluster is healthy
#集群是健康的！

在配置Etcd-cluster集群的时候，如果出了问题，首先查看/opt/etcd/cfg/etcd配置文件和systemctl配置文件有无错误，之后再看/var/log/messages进行排查。

五、Node安装Docker

5.1K8S提供服务架构层次图

5.2K8SNode节点安装Docker

去docker官方网址:docs.docker.com，根据提示安装docker-ce

#以下操作Node01和Node02一致
#安装docker依赖包
[root@ZhangSiming etcd]# yum install -y yum-utils device-mapper-persistent-data lvm2
#下载dockerrepo
[root@ZhangSiming etcd]# yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
#安装2.9版本以上的container-selinux包
[root@ZhangSiming etcd]# yum -y localinstall container-selinux-2.10-2.el7.noarch.rpm
#yum方式安装docker
[root@ZhangSiming etcd]# yum install docker-ce -y
#查看docker是否安装
[root@ZhangSiming etcd]# systemctl start docker
[root@ZhangSiming etcd]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@ZhangSiming etcd]# docker version
Client:
 Version:           18.09.1
 API version:       1.39
 Go version:        go1.10.6
 Git commit:        4c52b90
 Built:             Wed Jan  9 19:35:01 2019
 OS/Arch:           linux/amd64
 Experimental:      false
Server: Docker Engine - Community
 Engine:
  Version:          18.09.1
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.6
  Git commit:       4c52b90
  Built:            Wed Jan  9 19:06:30 2019
  OS/Arch:          linux/amd64
  Experimental:     false

5.3在下载好Docker的Node进行优化配置

[root@ZhangSiming etcd]# curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
#daocloud是docker的加速器，这里复制daocloud官网的命令给本地docker安装加速器，因为
docker version >= 1.12
{"registry-mirrors": ["http://f1361db2.m.daocloud.io"]}
Success.
You need to restart docker to take effect: sudo systemctl restart docker 
[root@ZhangSiming etcd]# systemctl restart docker      #安装完加速器重启Docker
[root@ZhangSiming etcd]# docker run -dit nginx      #启动一个nginxDocker进程(没有镜像默认先下载镜像再启动容器进程)
Unable to find image 'nginx:latest' locally
latest: Pulling from library/nginx
5e6ec7f28fb7: Pull complete 
ab804f9bbcbe: Pull complete 
052b395f16bc: Pull complete 
Digest: sha256:f630aa07be1af4ce6cbe1d5e846bb6bb3b5ba6bfec0ec0edc08ba48d8c1d9b0f
Status: Downloaded newer image for nginx:latest
04f73c49514fcca4c1d48efe706537cf2b2378a842feb4aa937f06ea1b537f57
#下载nginx镜像并启动完成，因为有加速器，所以非常快
[root@ZhangSiming etcd]# docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
04f73c49514f        nginx               "nginx -g 'daemon of…"   28 seconds ago      Up 27 seconds       80/tcp              eager_panini

六、Flannel容器集群网络部署

6.1基于Flannel实现不同主机容器间通信的工作原理

Overlay Network：覆盖网络，在基础网络上叠加的一种虚拟网络技术模式，该网络中的主机通过虚拟链路连接起来。
VXLAN：将源数据包封装到UDP中，并使用基础网络的IP/MAC作为外层报文头进行封装，然后在以太网上传输，到达目的地后由隧道端点解封装并将数据发送给目标地址。
Flannel：是Overlay网络的一种，也是将源数据包封装在另一种网络包里面进行路由转发和通信，目前已经支持UDP、VXLAN、AWS VPC和GCE路由等数据转发方式。

1.主机A的container1要和主机B的container2建立通信，先把数据包发给Docker0网关；
2.Docker0把数据发给flanneld0，flanneld服务进行封装并从主机A的ens32网卡发出到以太网中；
3.主机Bens32网卡接收到数据包，由主机B的flanneld服务进行解封装，去到主机B的Docker0之后到达container2。
注意：
flanneld通过Etcd存储一个路由表，路由表指示了容器要想和容器通信，需要哪台主机发送给哪台主机；因为flanneld会首先在Etcd分配并存储一个子网，然后由这个子网给容器下发IP，所以容器间可以通信------flannel覆盖网络

6.2部署flannel容器集群网络

6.2.1写入分配给flannel的子网到Etcd，供flanneld使用

[root@ZhangSiming ssl]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.17.130:2379,https://192.168.17.131:2379,https://192.168.17.132:2379" set /coreos.com/network/config '{"Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
{"Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}
#这是在Etcd中写入flanneld分配的子网，并指定封装类型为VXLAN
[root@ZhangSiming ssl]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.17.130:2379,https://192.168.17.131:2379,https://192.168.17.132:2379" get /coreos.com/network/config 
{"Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}
#etcdctl get 查看一下刚刚设置的

6.2.2去GitHub下载flannel二进制包，并解压到/opt/kubernetes/bin/中

[root@ZhangSiming opt]# mkdir -p kubernetes/{bin,ssl,cfg}
[root@ZhangSiming opt]# cd kubernetes/bin/
[root@ZhangSiming bin]# wget https://github.com/coreos/flannel/releases/download/v0.11.0/flannel-v0.11.0-linux-amd64.tar.gz
[root@ZhangSiming bin]# ls
flannel-v0.11.0-linux-amd64.tar.gz
[root@ZhangSiming bin]# tar xf flannel-v0.11.0-linux-amd64.tar.gz 
[root@ZhangSiming bin]# ls
flanneld  flannel-v0.11.0-linux-amd64.tar.gz  mk-docker-opts.sh  README.md

6.2.3编写flannel服务脚本，并配置docker服务脚本，使其使用flannel分配的子网

[root@ZhangSiming kubernetes]# cat flannel.sh
#!/bin/bash
#Designed by Zhangsiming
cat  >/opt/kubernetes/cfg/flanneld << EOF
FLANNEL_OPTIONS="--etcd-endpoints=https://192.168.17.130:2379,https://192.168.17.131:2379,https://192.168.17.132:2379 \
-etcd-cafile=/opt/etcd/ssl/ca.pem \
-etcd-certfile=/opt/etcd/ssl/server.pem \
-etcd-keyfile=/opt/etcd/ssl/server-key.pem"
EOF
#这个文件中的变量是flanneld服务配置文件中引用的环境文件，用于启动flanneld服务
cat <<EOF >/usr/lib/systemd/system/flanneld.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network-online.target network.target
Before=docker.service
[Service]
Type=notify
EnvironmentFile=/opt/kubernetes/cfg/flanneld
ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS
#引用FLANNEL_OPTIONS变量，不能加{}否则会出错
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env
#启动后(Post)生成一个子网文件/run/flannel/subnet.env供给Docker使用
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
#重新修改配置docker服务的配置文件，使其使用flannel分配的子网
cat <<EOF >/usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/run/flannel/subnet.env
ExecStart=/usr/bin/dockerd \$DOCKER_NETWORK_OPTIONS
#引用/run/flannel/subnet.env中的变量，其实就是使用flannel覆盖网络的子网来使得Docker间可以通信
ExecReload=/bin/kill -s HUP \$MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
#修改完systemctl自启动配置文件要daemon-reload
systemctl enable flanneld
systemctl restart flanneld
systemctl restart docker
#重新启动flannel服务和docker服务
#我们不妨看一下flannel服务生成的/run/flannel/subnet.env文件
[root@ZhangSiming kubernetes]# cat /run/flannel/subnet.env
DOCKER_OPT_BIP="--bip=172.17.63.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=false"
DOCKER_OPT_MTU="--mtu=1450"
DOCKER_NETWORK_OPTIONS=" --bip=172.17.63.1/24 --ip-masq=false --mtu=1450"
#这个变量就是分配的子网，被docker服务配置文件引用的

6.2.4 执行脚本，查看docker是否使用flannel覆盖网络

[root@ZhangSiming kubernetes]# sh flannel.sh
[root@ZhangSiming kubernetes]# ps -elf | grep flanneld
4 S root       2413      1  0  80   0 - 78971 futex_ 23:31 ?        00:00:00 /opt/kubernetes/bin/flanneld --ip-masq --etcd-endpoints=https://192.168.17.130:2379,https://192.168.17.131:2379,https://192.168.17.132:2379 -etcd-cafile=/opt/etcd/ssl/ca.pem -etcd-certfile=/opt/etcd/ssl/server.pem -etcd-keyfile=/opt/etcd/ssl/server-key.pem
0 R root       3684   1195  0  80   0 - 28176 -      23:45 pts/0    00:00:00 grep --color=auto flanneld
#启动flannel服务成功
[root@ZhangSiming kubernetes]# ps -elf | grep dockerd
4 S root       2485      1  1  80   0 - 166806 do_wai 23:31 ?       00:00:01 /usr/bin3.1/24 --ip-masq=false --mtu=1450
#docker成功使用flannel分配的子网

K8SNode2节点就scp过去执行脚本就好了

[root@ZhangSiming kubernetes]# scp -r /opt/ root@192.168.17.133:/opt/
#scp只要是复制两个，第一个就是/opt/kubernetes目录，里面包含flannel工具和服务生产脚本；第二，还要复制/opt/etcd/ssl下的自签证书过去，别忘了我们指定的证书位置是/opt/etcd/ssl
root@192.168.17.133\'s password：
etcd                                          100%   18MB  28.6MB/s   00:00    
etcdctl                                       100%   15MB  24.0MB/s   00:00    
etcd                                          100%  516   761.0KB/s   00:00    
ca-config.json                                100%  269     3.6KB/s   00:00    
ca.csr                                        100%  956   260.6KB/s   00:00    
ca-csr.json                                   100%  194   154.4KB/s   00:00    
ca-key.pem                                    100% 1679     1.4MB/s   00:00    
ca.pem                                        100% 1265     2.1MB/s   00:00    
server.csr                                    100% 1013   768.5KB/s   00:00    
server-csr.json                               100%  294   127.1KB/s   00:00    
server-key.pem                                100% 1679     2.3MB/s   00:00    
server.pem                                    100% 1338     2.6MB/s   00:00    
container-selinux-2.10-2.el7.noarch.rpm       100%   28KB   1.1MB/s   00:00    
flannel-v0.11.0-linux-amd64.tar.gz            100% 9342KB  18.2MB/s   00:00    
flanneld                                      100%   34MB  33.6MB/s   00:01    
mk-docker-opts.sh                             100% 2139     1.6MB/s   00:00    
README.md                                     100% 4300    55.0KB/s   00:00    
flanneld                                      100%  236   199.1KB/s   00:00    
.flannel.sh.swp                               100%   12KB  11.3MB/s   00:00    
.flannel.sh.swn                               100%   12KB   4.5MB/s   00:00    
flannel.sh                                    100% 1489     1.5MB/s   00:00    
#复制过来直接执行脚本
[root@ZhangSiming kubernetes]# sh flannel.sh
[root@ZhangSiming kubernetes]# ps -elf | grep flanneld
4 S root       2663      1  0  80   0 - 95884 futex_ 00:04 ?        00:00:00 /opt/kubernetes/bin/flanneld --ip-masq --etcd-endpoints=https://192.168.17.130:2379,https://192.168.17.131:2379,https://192.168.17.132:2379 -etcd-cafile=/opt/etcd/ssl/ca.pem -etcd-certfile=/opt/etcd/ssl/server.pem -etcd-keyfile=/opt/etcd/ssl/server-key.pem
0 R root       2908   1770  0  80   0 - 28176 -      00:05 pts/0    00:00:00 grep --color=auto flanneld
[root@ZhangSiming kubernetes]# ps -elf | grep dockerd
4 S root       2737      1  6  80   0 - 133445 futex_ 00:04 ?       00:00:01 /usr/bin/dockerd --bip=172.17.98.1/24 --ip-masq=false --mtu=1450
0 R root       2916   1770  0  80   0 - 28176 -      00:05 pts/0    00:00:00 grep --color=auto dockerd
#到此所有节点覆盖flannel网络成功

6.3测试flannel网络下容器间的通信

部署成功之后，ifconfig看一下容器的网卡信息

[root@ZhangSiming kubernetes]# ifconfig | grep -EA 1 flannel 
flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 172.17.98.0  netmask 255.255.255.255  broadcast 0.0.0.0
[root@ZhangSiming kubernetes]# ifconfig | grep -EA 1 docker0 
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.98.1  netmask 255.255.255.0  broadcast 172.17.98.255
#可以看到flannel自己分配了个172.17.98.0网段，docker0和下面的容器都会使用这个网段的IP
[root@ZhangSiming kubernetes]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.17.2    0.0.0.0         UG    100    0        0 ens32
172.17.63.0     172.17.63.0     255.255.255.0   UG    0      0        0 flannel.1
172.17.98.0     0.0.0.0         255.255.255.0   U     0      0        0 docker0
192.168.17.0    0.0.0.0         255.255.255.0   U     100    0        0 ens32
#并加入了路由表中通信
[root@ZhangSiming kubernetes]# ifconfig | grep -EA 1 flannel 
flannel.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1450
        inet 172.17.98.0  netmask 255.255.255.255  broadcast 0.0.0.0
[root@ZhangSiming kubernetes]# ping 172.17.63.0
PING 172.17.63.0 (172.17.63.0) 56(84) bytes of data.
64 bytes from 172.17.63.0: icmp_seq=1 ttl=64 time=0.259 ms
64 bytes from 172.17.63.0: icmp_seq=2 ttl=64 time=0.379 ms
^C
--- 172.17.63.0 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.259/0.319/0.379/0.060 ms
#98网段的主机ping63网主机的网关可以通
#在两个节点分别启动两个测试镜像，并记录IP
[root@ZhangSiming kubernetes]# docker run -it busybox
#busybox是测试镜像
Unable to find image 'busybox:latest' locally
latest: Pulling from library/busybox
57c14dd66db0: Pull complete 
Digest: sha256:7964ad52e396a6e045c39b5a44438424ac52e12e4d5a25d94895f2058cb863a0
Status: Downloaded newer image for busybox:latest
/ # ifconfig | grep -A 1 eth0
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:3F:02  
          inet addr:172.17.63.2  Bcast:172.17.63.255  Mask:255.255.255.0
/ # ping 172.17.98.2
#自己是63网段，ping98网段(另一个容器的)
PING 172.17.98.2 (172.17.98.2): 56 data bytes
64 bytes from 172.17.98.2: seq=0 ttl=62 time=0.459 ms
64 bytes from 172.17.98.2: seq=1 ttl=62 time=2.668 ms
#容器间也ping通，说明flannel网络已经覆盖了容器，成功
#最后别忘了加入开机启动
[root@ZhangSiming kubernetes]# systemctl enable flanneld

七、部署Master组件

部署Master组件是有一个顺序要求的，先部署apiserver，再部署controller-manager和scheduler。
配置组件流程和上面一致，就是：
1.自签证书准备
2.配置文件
3.systemd管理
4.启动组件
5.验证是否运行成功

7.1生成自签证书

[root@ZhangSiming ~]# mkdir K8S/k8s-cert
[root@ZhangSiming ~]# cd K8S/k8s-cert
#建立一个专门的K8S证书
[root@ZhangSiming k8s-cert]# mv ~/k8s-cert.sh .
[root@ZhangSiming k8s-cert]# ls
k8s-cert.sh
#生成证书脚本，类似生成Etcd证书脚本
[root@ZhangSiming k8s-cert]# cat k8s-cert.sh 
cat > ca-config.json <<EOF
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "kubernetes": {
         "expiry": "87600h",
         "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ]
      }
    }
  }
}
EOF
cat > ca-csr.json <<EOF
{
    "CN": "kubernetes",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "Beijing",
            "ST": "Beijing",
            "O": "k8s",
            "OU": "System"
#O、OU是用户、用户组验证
        }
    ]
}
EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
#生成ca根证书
#-----------------------
cat > server-csr.json <<EOF
{
    "CN": "kubernetes",
    "hosts": [
      "10.0.0.1",
      "127.0.0.1",
      "192.168.17.130",
      "192.168.17.131",
      "192.168.17.134",
      "192.168.17.135",
      "192.168.17.136",
#上面5个IP为，Master01，Master02，LoadMaster自身IP、VIP和LoadNode的IP地址
      "kubernetes",
      "kubernetes.default",
      "kubernetes.default.svc",
      "kubernetes.default.svc.cluster",
      "kubernetes.default.svc.cluster.local"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
            "C": "CN",
            "L": "BeiJing",
            "ST": "BeiJing",
            "O": "k8s",
            "OU": "System"
#O、OU是用户、用户组验证
        }
    ]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
#使用ca证书签发apiserver的证书
#-----------------------
cat > admin-csr.json <<EOF
{
  "CN": "admin",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "system:masters",
      "OU": "System"
#O、OU是用户、用户组验证
    }
  ]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
#使用ca证书签发kubeadmin证书
#-----------------------
cat > kube-proxy-csr.json <<EOF
{
  "CN": "system:kube-proxy",
  "hosts": [],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "L": "BeiJing",
      "ST": "BeiJing",
      "O": "k8s",
      "OU": "System"
#O、OU是用户、用户组验证
    }
  ]
}
EOF
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
#使用ca证书签发kubeproxy证书
[root@ZhangSiming k8s-cert]# sh k8s-cert.sh &>/dev/null
[root@ZhangSiming k8s-cert]# ls
admin.csr       ca.csr       kube-proxy.csr       server-csr.json
admin-csr.json  ca-csr.json  kube-proxy-csr.json  server-key.pem
admin-key.pem   ca-key.pem   kube-proxy-key.pem   server.pem
admin.pem       ca.pem       kube-proxy.pem
ca-config.json  k8s-cert.sh  server.csr
#全部的证书生成成功

7.2部署Master组件

7.2.1部署apiserver

[root@ZhangSiming K8S]# cd k8smaster-soft/
[root@ZhangSiming k8smaster-soft]# ls
apiserver.sh           kubernetes-server-linux-amd64.tar.gz
controller-manager.sh  scheduler.sh
[root@ZhangSiming k8smaster-soft]# mkdir -p /opt/kubernetes/{bin,cfg,ssl}
[root@ZhangSiming k8smaster-soft]# tar xf kubernetes-server-linux-amd64.tar.gz 
#解压下载好的Kubernetes二进制包
[root@ZhangSiming K8S]# ls kubernetes/
addons  kubernetes-src.tar.gz  LICENSES  server
#addons是一些插件
[root@ZhangSiming K8S]# ls kubernetes/server/bin/
apiextensions-apiserver              kube-controller-manager.tar
cloud-controller-manager             kubectl
cloud-controller-manager.docker_tag  kubelet
cloud-controller-manager.tar         kube-proxy
hyperkube                            kube-proxy.docker_tag
kubeadm                              kube-proxy.tar
kube-apiserver                       kube-scheduler
kube-apiserver.docker_tag            kube-scheduler.docker_tag
kube-apiserver.tar                   kube-scheduler.tar
kube-controller-manager              mounter
kube-controller-manager.docker_tag
#其中的kube-apiserver kubectl kube-controller-manager kube-scheduler kubelet是需要的，拷贝到刚刚创建的/opt/kubernetes下的bin目录中
[root@ZhangSiming K8S]# cd kubernetes/server/bin/
[root@ZhangSiming bin]# cp kubelet kubectl kube-proxy kube-scheduler kube-controller-manager kube-apiserver /opt/kubernetes/bin/
[root@ZhangSiming bin]# ls /opt/kubernetes/bin/
kube-apiserver           kubectl  kube-proxy
kube-controller-manager  kubelet  kube-scheduler
#拷贝命令工具成功
#拷贝证书
[root@ZhangSiming K8S]# cd k8s-cert/
[root@ZhangSiming k8s-cert]# cp * /opt/kubernetes/ssl/
[root@ZhangSiming k8s-cert]# ls /opt/kubernetes/ssl/
admin.csr       ca.csr       kube-proxy.csr       server-csr.json
admin-csr.json  ca-csr.json  kube-proxy-csr.json  server-key.pem
admin-key.pem   ca-key.pem   kube-proxy-key.pem   server.pem
admin.pem       ca.pem       kube-proxy.pem
ca-config.json  k8s-cert.sh  server.csr
[root@ZhangSiming k8s-cert]# ls /opt/etcd/ssl
ca-config.json  ca-csr.json  ca.pem      server-csr.json  server.pem
ca.csr          ca-key.pem   server.csr  server-key.pem
#Kubernetes组件的证书和etcd的证书都在指定位置
[root@ZhangSiming ssl]# /opt/etcd/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.17.130:2379,https://192.168.17.131:2379,https://192.168.17.132:2379" cluster-health
member 3a6f8c78a708ea9 is healthy: got healthy result from https://192.168.17.132:2379
member 5658b2b12e105fd0 is healthy: got healthy result from https://192.168.17.131:2379
member 9d10fc7919c17197 is healthy: got healthy result from https://192.168.17.130:2379
cluster is healthy
#Etcd集群健康

下面开始生成apiserver的配置文件和服务配置文件

[root@ZhangSiming k8smaster-soft]# cat apiserver.sh 
#!/bin/bash
MASTER_ADDRESS=$1
ETCD_SERVERS=$2
#脚本要传入两个参数，一个是自身的IP，一个是Etcd集群的IP
cat <<EOF >/opt/kubernetes/cfg/kube-apiserver
KUBE_APISERVER_OPTS="--logtostderr=true \\
#错误日志开启
--v=4 \\
#错误日志级别为4
--etcd-servers=${ETCD_SERVERS} \\
#Etcd集群的IP
--bind-address=${MASTER_ADDRESS} \\
#绑定自身的masterIP
--secure-port=6443 \\
#安全端口6443
--advertise-address=${MASTER_ADDRESS} \\
--allow-privileged=true \\
--service-cluster-ip-range=10.0.0.0/24 \\
#Kubernetes给apiserver分配的虚拟IP
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
#支持验证插件
--authorization-mode=RBAC,Node \\
#安全验证模式
--kubelet-https=true \\
--enable-bootstrap-token-auth \\
#token验证方式
--token-auth-file=/opt/kubernetes/cfg/token.csv \\
#这个文件要先生成，给token验证读取
--service-node-port-range=30000-50000 \\
#虚拟IP分配的端口
--tls-cert-file=/opt/kubernetes/ssl/server.pem  \\
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
--client-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--etcd-cafile=/opt/etcd/ssl/ca.pem \\
--etcd-certfile=/opt/etcd/ssl/server.pem \\
--etcd-keyfile=/opt/etcd/ssl/server-key.pem"
#下面都是证书
EOF
cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver
#配置文件位置
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
#启动apiserver服务引用的参数，就是配置文件里指定的
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
#system服务生效
systemctl enable kube-apiserver
systemctl restart kube-apiserver
#生成token-auth文件
[root@ZhangSiming k8smaster-soft]# touch /opt/kubernetes/cfg/token.csv
[root@ZhangSiming k8smaster-soft]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
5e479c0f03a3261a0e15bf05ff272831
[root@ZhangSiming k8smaster-soft]# echo "5e479c0f03a3261a0e15bf05ff272831" > /opt/kubernetes/cfg/token.csv 
[root@ZhangSiming k8smaster-soft]# vim /opt/kubernetes/cfg/token.csv
[root@ZhangSiming k8smaster-soft]# cat /opt/kubernetes/cfg/token.csv
5e479c0f03a3261a0e15bf05ff272831,kubelet-bootstrap,10001,"system:kuberlet-bootstrap"
#这个后面部署Node会用到，暂时不用管。
#执行脚本
[root@ZhangSiming k8smaster-soft]# sh apiserver.sh 192.168.17.130 https://192.168.17.130:2379,https://192.168.17.131:2379,https://192.168.17.132:2379
#传入两个参数
[root@ZhangSiming k8s-cert]# ps -elf | grep api
4 S root       2536      1 77  80   0 - 71336 futex_ 20:11 ?        00:00:04 /opt/kubernetes/bin/kube-apiserver --logtostderr=true --v=4 --etcd-servers=https://192.168.17.130:2379,https://192.168.17.131:2379,https://192.168.17.132:2379 --bind-address=192.168.17.130 --secure-port=6443 --advertise-address=192.168.17.130 --allow-privileged=true --service-cluster-ip-range=10.0.0.0/24 --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction --authorization-mode=RBAC,Node --kubelet-https=true --enable-bootstrap-token-auth --token-auth-file=/opt/kubernetes/cfg/token.csv --service-node-port-range=30000-50000 --tls-cert-file=/opt/kubernetes/ssl/server.pem --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem --client-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem --etcd-cafile=/opt/etcd/ssl/ca.pem --etcd-certfile=/opt/etcd/ssl/server.pem --etcd-keyfile=/opt/etcd/ssl/server-key.pem
0 R root       2544   2324  0  80   0 - 28176 -      20:11 pts/1    00:00:00 grep --color=auto api
#成功启动apiserver服务

7.2.2部署kube-controller-manager

[root@ZhangSiming k8smaster-soft]# netstat -antup | grep 8080
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      2715/kube-apiserver 
#这个8080端口是apiserver的一个非安全端口，用于连接controller-manager的
#生成controller-manager配置文件和服务配置文件的脚本
[root@ZhangSiming k8smaster-soft]# cat controller-manager.sh
#!/bin/bash
MASTER_ADDRESS=$1
#由于和apiserver都在本地，所以传入127.0.0.1
cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \\
--v=4 \\
--master=${MASTER_ADDRESS}:8080 \\
#和apiserver通信地址是8080，非安全端口
--leader-elect=true \\
#高可用选举功能(多个controller-manager时)
--address=127.0.0.1 \\
--service-cluster-ip-range=10.0.0.0/24 \\
#虚拟子网，和apiserver一致
--cluster-name=kubernetes \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem  \\
#证书
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--experimental-cluster-signing-duration=87600h0m0s"
EOF
cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
#服务配置文件和apiserver类似
systemctl daemon-reload
systemctl enable kube-controller-manager
systemctl restart kube-controller-manager
#执行脚本
[root@ZhangSiming k8smaster-soft]# sh controller-manager.sh 127.0.0.1
#传入127.0.0.1
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service.
[root@ZhangSiming k8smaster-soft]# ps -elf | grep controller-manager
4 S root       2804      1  3  80   0 - 34587 ep_pol 20:25 ?        00:00:01 /opt/kubernetes/bin/kube-controller-manager --logtostderr=true --v=4 --master=127.0.0.1:8080 --leader-elect=true --address=127.0.0.1 --service-cluster-ip-range=10.0.0.0/24 --cluster-name=kubernetes --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem --root-ca-file=/opt/kubernetes/ssl/ca.pem --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem --experimental-cluster-signing-duration=87600h0m0s
0 S root       2811   2324  0  80   0 - 28176 pipe_w 20:26 pts/1    00:00:00 grep --color=auto controller-manager
#controller-manager服务启动成功