127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.32.115.21 k8s-master1
172.32.115.22 k8s-master2
172.32.115.23 k8s-master3
172.32.115.24 k8s-node1
172.32.115.25 k8s-node2
172.32.115.26 k8s-node3

[root@k8s-master1 ~]# ssh-keygen -t rsa
[root@k8s-master1 ~]# ssh-copy-id k8s-master1
[root@k8s-master1 ~]# ssh-copy-id k8s-master2
[root@k8s-master1 ~]# ssh-copy-id k8s-master3
[root@k8s-master1 ~]# ssh-copy-id k8s-node1
[root@k8s-master1 ~]# ssh-copy-id k8s-node2
[root@k8s-master1 ~]# ssh-copy-id k8s-node3

[root@k8s-master1 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:f4dUuV4+QIgYGi5NbOp9dOFFyBsLaUpe2IzU9tDkJn8 root@k8s-master1
The key's randomart image is:
+---[RSA 2048]----+
|    o+*.=.o.     |
|    +*o@+*...  . |
|   .=+=o=+*. .o  |
|   ..o .+*  .. . |
|  . . . S. E... .|
|   . . . ... o.o |
|      .   . o o..|
|           . .  .|
|                 |
+----[SHA256]-----+

[root@k8s-master1 ~]# ssh-copy-id k8s-master2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host 'k8s-master2 (172.32.115.22)' can't be established.
ECDSA key fingerprint is SHA256:D7q+GFK1okN3LN9mLt9uMmNnU1HNIQTgN24gBz0RqVY.
ECDSA key fingerprint is MD5:19:07:a7:96:46:b7:87:3f:f7:71:b5:ca:01:e0:d0:51.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@k8s-master2's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'k8s-master2'"
and check to make sure that only the key(s) you wanted were added.

[root@k8s-master1 ~]#

[root@k8s-master1 ~]# ssh 172.32.115.26
Last login: Tue Apr  9 00:09:04 2019 from 172.32.115.1
[root@k8s-node3 ~]# exit
登出
Connection to 172.32.115.26 closed.
[root@k8s-master1 ~]# ssh 172.32.115.25
Last login: Tue Apr  9 00:06:48 2019 from 172.32.115.1
[root@k8s-node2 ~]# exit
登出
Connection to 172.32.115.25 closed.
[root@k8s-master1 ~]# ssh 172.32.115.24
Last login: Tue Apr  9 00:04:40 2019 from 172.32.115.1
[root@k8s-node1 ~]# exit
登出
Connection to 172.32.115.24 closed.
[root@k8s-master1 ~]# ssh 172.32.115.23
Last login: Mon Apr  8 23:20:21 2019 from 172.32.115.1
[root@k8s-master3 ~]# exit
登出
Connection to 172.32.115.23 closed.
[root@k8s-master1 ~]# ssh 172.32.115.22
Last login: Mon Apr  8 23:20:39 2019 from 172.32.115.1
[root@k8s-master2 ~]# exit
登出
Connection to 172.32.115.22 closed.
[root@k8s-master1 ~]# ssh 172.32.115.21
Last login: Mon Apr  8 23:40:30 2019 from 172.32.115.21
[root@k8s-master1 ~]# exit
登出
Connection to 172.32.115.21 closed.
[root@k8s-master1 ~]# 

[root@k8s-master1 ~]# systemctl stop firewalld.service
[root@k8s-master1 ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@k8s-master1 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

4月 08 22:48:12 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
4月 08 22:48:12 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
4月 08 22:48:13 localhost.localdomain firewalld[694]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
4月 08 22:48:13 localhost.localdomain firewalld[694]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
4月 08 22:48:13 localhost.localdomain firewalld[694]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
4月 08 22:48:13 localhost.localdomain firewalld[694]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
4月 08 22:48:13 localhost.localdomain firewalld[694]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
4月 08 22:48:13 localhost.localdomain firewalld[694]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
4月 09 00:17:46 k8s-master1 systemd[1]: Stopping firewalld - dynamic firewall daemon...
4月 09 00:17:46 k8s-master1 systemd[1]: Stopped firewalld - dynamic firewall daemon.

[root@k8s-master3 ~]# setenforce 0
[root@k8s-master3 ~]# sed -i '/SELINUX=enforcing/s#enforcing#disabled#' /etc/selinux/config
[root@k8s-master3 ~]# getenforce
Permissive
[root@k8s-master3 ~]# grep SELINUX /etc/selinux/config
# SELINUX= can take one of these three values:
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
SELINUXTYPE=targeted