#各个机器设置自己的域名
hostnamectl set- hostname xxxx
# 将 SELinux 设置为 permissive 模式(相当于将其禁用)
sudo setenforce 0
sudo sed - i 's/ ^ SELINUX= enforcing$/ SELINUX= permissive/ ' / etc/ selinux/ config
#关闭swap
swapoff - a
sed - ri 's/.*swap.*/#&/' / etc/ fstab
#允许 iptables 检查桥接流量
cat << EOF | sudo tee / etc/ modules- load. d/ k8s. conf
br_netfilter
EOF
cat << EOF | sudo tee / etc/ sysctl. d/ k8s. conf
net. bridge. bridge- nf- call- ip6tables = 1
net. bridge. bridge- nf- call- iptables = 1
EOF
sudo sysctl -- system
安装kubelet、kubeadm、kubectl
cat << EOF | sudo tee / etc/ yum. repos. d/ kubernetes. repo
[ kubernetes]
name= Kubernetes
baseurl= http:
enabled= 1
gpgcheck= 0
repo_gpgcheck= 0
gpgkey= http:
http:
exclude= kubelet kubeadm kubectl
EOF
sudo yum install - y kubelet- 1.20 . 9 kubeadm- 1.20 . 9 kubectl- 1.20 . 9 -- disableexcludes= kubernetes
sudo systemctl enable -- now kubelet
使用kubeadm引导集群
sudo tee . / images. sh << - 'EOF'
#! / bin/ bash
images= (
kube- apiserver: v1. 20.9
kube- proxy: v1. 20.9
kube- controller- manager: v1. 20.9
kube- scheduler: v1. 20.9
coredns: 1.7 . 0
etcd: 3.4 . 13 - 0
pause: 3.2
)
for imageName in ${ images[ @] } ; do
docker pull registry. cn- hangzhou. aliyuncs. com/ lfy_k8s_images/ $imageName
done
EOF
chmod + x . / images. sh && . / images. sh
初始化主节点
#所有机器添加master域名映射,以下需要修改为自己的
echo "172.31.0.4 cluster-endpoint" >> / etc/ hosts
#主节点初始化
kubeadm init \
-- apiserver- advertise- address= 172.31 . 0.4 \
-- control- plane- endpoint= cluster- endpoint \
-- image- repository registry. cn- hangzhou. aliyuncs. com/ lfy_k8s_images \
-- kubernetes- version v1. 20.9 \
-- service- cidr= 10.96 . 0.0 / 16 \
-- pod- network- cidr= 192.168 . 0.0 / 16
#所有网络范围不重叠
#查看集群所有节点
kubectl get nodes
#根据配置文件,给集群创建资源
kubectl apply - f xxxx. yaml
#查看集群部署了哪些应用?
docker ps == = kubectl get pods - A
# 运行中的应用在docker里面叫容器,在k8s里面叫Pod
kubectl get pods - A
curl https:
kubectl apply - f calico. yaml
kubeadm join cluster- endpoint: 6443 -- token x5g4uy. wpjjdbgra92s25pp \
-- discovery- token- ca- cert- hash sha256: 6255797916 eaee52bf9dda9429db616fcd828436708345a308f4b917d3457a22
kubectl apply - f https:
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 ( the "License" ) ;
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http :
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes- dashboard
-- -
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s- app: kubernetes- dashboard
name: kubernetes- dashboard
namespace : kubernetes- dashboard
-- -
kind: Service
apiVersion: v1
metadata:
labels:
k8s- app: kubernetes- dashboard
name: kubernetes- dashboard
namespace : kubernetes- dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s- app: kubernetes- dashboard
-- -
apiVersion: v1
kind: Secret
metadata:
labels:
k8s- app: kubernetes- dashboard
name: kubernetes- dashboard- certs
namespace : kubernetes- dashboard
type: Opaque
-- -
apiVersion: v1
kind: Secret
metadata:
labels:
k8s- app: kubernetes- dashboard
name: kubernetes- dashboard- csrf
namespace : kubernetes- dashboard
type: Opaque
data:
csrf: ""
-- -
apiVersion: v1
kind: Secret
metadata:
labels:
k8s- app: kubernetes- dashboard
name: kubernetes- dashboard- key- holder
namespace : kubernetes- dashboard
type: Opaque
-- -
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s- app: kubernetes- dashboard
name: kubernetes- dashboard- settings
namespace : kubernetes- dashboard
-- -
kind: Role
apiVersion: rbac. authorization. k8s. io/ v1
metadata:
labels:
k8s- app: kubernetes- dashboard
name: kubernetes- dashboard
namespace : kubernetes- dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [ "" ]
resources: [ "secrets" ]
resourceNames: [ "kubernetes-dashboard-key-holder" , "kubernetes-dashboard-certs" , "kubernetes-dashboard-csrf" ]
verbs: [ "get" , "update" , "delete" ]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [ "" ]
resources: [ "configmaps" ]
resourceNames: [ "kubernetes-dashboard-settings" ]
verbs: [ "get" , "update" ]
# Allow Dashboard to get metrics.
- apiGroups: [ "" ]
resources: [ "services" ]
resourceNames: [ "heapster" , "dashboard-metrics-scraper" ]
verbs: [ "proxy" ]
- apiGroups: [ "" ]
resources: [ "services/proxy" ]
resourceNames: [ "heapster" , "http:heapster:" , "https:heapster:" , "dashboard-metrics-scraper" , "http:dashboard-metrics-scraper" ]
verbs: [ "get" ]
-- -
kind: ClusterRole
apiVersion: rbac. authorization. k8s. io/ v1
metadata:
labels:
k8s- app: kubernetes- dashboard
name: kubernetes- dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: [ "metrics.k8s.io" ]
resources: [ "pods" , "nodes" ]
verbs: [ "get" , "list" , "watch" ]
-- -
apiVersion: rbac. authorization. k8s. io/ v1
kind: RoleBinding
metadata:
labels:
k8s- app: kubernetes- dashboard
name: kubernetes- dashboard
namespace : kubernetes- dashboard
roleRef:
apiGroup: rbac. authorization. k8s. io
kind: Role
name: kubernetes- dashboard
subjects:
- kind: ServiceAccount
name: kubernetes- dashboard
namespace : kubernetes- dashboard
-- -
apiVersion: rbac. authorization. k8s. io/ v1
kind: ClusterRoleBinding
metadata:
name: kubernetes- dashboard
roleRef:
apiGroup: rbac. authorization. k8s. io
kind: ClusterRole
name: kubernetes- dashboard
subjects:
- kind: ServiceAccount
name: kubernetes- dashboard
namespace : kubernetes- dashboard
-- -
kind: Deployment
apiVersion: apps/ v1
metadata:
labels:
k8s- app: kubernetes- dashboard
name: kubernetes- dashboard
namespace : kubernetes- dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s- app: kubernetes- dashboard
template :
metadata:
labels:
k8s- app: kubernetes- dashboard
spec:
containers:
- name: kubernetes- dashboard
image: kubernetesui/ dashboard: v2. 3.1
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- -- auto - generate- certificates
- -- namespace = kubernetes- dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - -- apiserver- host= http:
volumeMounts:
- name: kubernetes- dashboard- certs
mountPath: / certs
# Create on- disk volume to store exec logs
- mountPath: / tmp
name: tmp- volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes- dashboard- certs
secret:
secretName: kubernetes- dashboard- certs
- name: tmp- volume
emptyDir: { }
serviceAccountName: kubernetes- dashboard
nodeSelector:
"kubernetes.io/os" : linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node- role. kubernetes. io/ master
effect: NoSchedule
-- -
kind: Service
apiVersion: v1
metadata:
labels:
k8s- app: dashboard- metrics- scraper
name: dashboard- metrics- scraper
namespace : kubernetes- dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s- app: dashboard- metrics- scraper
-- -
kind: Deployment
apiVersion: apps/ v1
metadata:
labels:
k8s- app: dashboard- metrics- scraper
name: dashboard- metrics- scraper
namespace : kubernetes- dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s- app: dashboard- metrics- scraper
template :
metadata:
labels:
k8s- app: dashboard- metrics- scraper
annotations:
seccomp. security. alpha. kubernetes. io/ pod: 'runtime/default'
spec:
containers:
- name: dashboard- metrics- scraper
image: kubernetesui/ metrics- scraper: v1. 0.6
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: / tmp
name: tmp- volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes- dashboard
nodeSelector:
"kubernetes.io/os" : linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node- role. kubernetes. io/ master
effect: NoSchedule
volumes:
- name: tmp- volume
emptyDir: { }
kubectl edit svc kubernetes- dashboard - n kubernetes- dashboard
kubectl get svc - A | grep kubernetes- dashboard
## 找到端口,在安全组放行
#创建访问账号,准备一个yaml文件; vi dash. yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin- user
namespace : kubernetes- dashboard
-- -
apiVersion: rbac. authorization. k8s. io/ v1
kind: ClusterRoleBinding
metadata:
name: admin- user
roleRef:
apiGroup: rbac. authorization. k8s. io
kind: ClusterRole
name: cluster- admin
subjects:
- kind: ServiceAccount
name: admin- user
namespace : kubernetes- dashboard
#获取访问令牌
kubectl - n kubernetes- dashboard get secret $( kubectl - n kubernetes- dashboard get sa/ admin- user - o jsonpath= "{.secrets[0].name}" ) - o go- template = "{{.data.token | base64decode}}"