一、是什么
docker人肉部署容器浪费时间!浪费精力!需要一个编排系统解决–k8s!
1、特性
-
服务发现与负载均衡
例如在一台机器部署只能抗住100并发的请求,此时运行3台机器,这样一共可以抗住300的并发,将服务部署到三台服务器上,这样就增加了服务的并发数。假如此时有另一个服务将三台服务器上的服务进行管理,当请求来时,先请求该台服务器,由该服务器把流量可以按照服务器配置分发到不同服务器上进行处理,提高并发量减少服务器压力,这就是负载均衡。
想要负载均衡首先需要服务发现,当有台机器的服务突然挂掉,请求进来时,k8s需要知道所有服务的状态,及时剔除挂掉的服务,不进行请求处理。 -
存储编排
每台服务内的应用需要开辟硬盘空间,如果应用挂掉或者不使用时,需要即使释放和该应用有关联的所有空间。 -
自动部署和回滚
服务挂掉或者升级失败,k8s可以进行版本的回滚和服务的自动部署。 -
自动完成装箱计算
k8s将所有容器装到一个沙箱中运行,容器的内存和cpu可以通过k8s进行设置和监控。 -
自我修复
k8s可以自动重启、替换挂掉的容器。一旦有台机器挂掉了,它可以把这台机器里的容器放到其他机器上运行,保证该机器一直运行。 -
密钥与配置管理
类似于springcloud里的控制中心
总结:Kubernetes为你提供一个可弹性运行分布式系统的框架。k8s会满足你的扩展要求,故障转移,部署模式等。例如,Kubernetes可以轻松管理系统的Canary部署。
2、架构
- 工作方式
主从模式,主节点(master)管理工作节点(worker),一般任务由工作节点进行,当主节点多了会形成一个高可用集群,如果某个主节点挂掉则会重新选择主节点进行管理工作节点。
Kubernetes Cluster = N Master Node + N Worker Node :N>=1 - 组件架构
Node:每一个工作的节点,类似于每个工厂;
kubelet:决定每个工作节点里的应用是否运行,可以随时探测应用是否正常运行,如果应用有问题,则将消息向主节点反馈,如果设置该节点为主节点的话,它会启动该主节点需要的所有组件,类似厂长;
api-serve:接收工作节点的消息,平时我们与K8s的交互也是由它进行处理;
controller-maneger:接收api发过来的需要处理的消息,并进行判断该应用是否需要分发,并将决策信息存储到键值数据库中,并通知api;
ETCD:键值数据库,存储数据信息;
scheduler:从api接收信息,动态计算哪个工作节点可以处理该应用;
kube-proxy:知道所有应用所在的工作节点地址;
举例:
如果应用故障,Kubernetes处理流程:
不同应用之间的通信处理流程:
二、集群环境
1、集群安装逻辑
-
基础环境搭建
-
设置主节点时的处理流程
更正:kubeadm下载所有组件,kubelet启动所需的所有组件!!!
2、公网环境配置
由于资金有限,只设置一主一从服务器,但是再添加工作节点也可以按照这个步骤进行。
- 服务器信息
| 云产品 | 公网ip地址 | 内网ip |
|---|---|---|
| 腾讯云(master) | 49.232.181.123 | |
| 阿里云(node) | 182.92.128.93 |
- 开放端口:
开启 6443 TCP端口:给 kube-apiserver 使用
开启 8472 UPD端口:给 flannel 网络插件通讯使用
- 系统网络环境配置
#公网 配置hosts,建立ip和域名的映射关系,可以保证即使代码迁移其它环境也不需要在代码中更改内网ip地址,我们依旧可以根据域名访问到它的ip 没有申请自己域名的可以省略
echo "IP 自定义hostname" >> /etc/hosts
echo "" >> /etc/hosts
# 将 SELinux 设置为 permissive 模式(相当于将其禁用)关闭防火墙,关闭setenforce
#SELinux:加强安全性的组件,爱出错且难定位!更主要原因,关掉之后允许容器访问宿主机的文件系统
#关闭防火墙:nftables后端兼容性问题,产生重复的防火墙规则
sudo setenforce 0
#查看setenforce状态 disabled
setenforce -v
#如果出现SELinux is disabled说明已经永久关闭,0是临时关闭,这两情况都可以
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
#查看状态SELINUX disabled
getenforce
#关闭swap 会导致docker运行不正常,关掉就会正常。原因:swap会在内存不足时,将部分内存数据存储到磁盘中,会影响性能。
swapoff -a #临时关闭 仅限当前会话
sed -ri 's/.*swap.*/#&/' /etc/fstab #永久关闭
#查看swap是否关闭成功 swap行都是0则成功
free -m
#创建 /etc/sysctl.d/k8s.conf 文件
cat > k8s.conf <<EOF
#开启网桥模式
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
#开启转发
net.ipv4.ip_forward = 1
##关闭ipv6
net.ipv6.conf.all.disable_ipv6=1
EOF
cp k8s.conf /etc/sysctl.d/k8s.conf
sysctl -p /etc/sysctl.d/k8s.conf
- 设置主机名,不能重复!!
hostnamectl set-hostname k8s-master - 设置网卡:云主机绑定的都是内网ip,由于我的服务器是阿里云和腾讯云,VPC不通,内网访问无法链接,需要使用虚拟网卡绑定公网ip,通过公网ip来注册集群。
# 所有主机都要创建虚拟网卡,并绑定对应的公网 ip
# 临时生效,重启会失效
ifconfig eth0:1 <你的公网IP>
ifconfig eth0:1 49.232.181.123
# 永久生效
cat > /etc/sysconfig/network-scripts/ifcfg-eth0:1 <<EOF
BOOTPROTO=static
DEVICE=eth0:1
IPADDR=182.92.128.93
PREFIX=32
TYPE=Ethernet
USERCTL=no
ONBOOT=yes
EOF
#重启网络
systemctl restart network
#查看结果
ip addr
ifconfig
3、基础环境
- yum安装与配置:
# 1、下载所需要的安装包
yum install -y yum-utils
# 2、设置镜像的仓库
yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo # 国外的!!!
# 使用国内阿里云安装,安装十分快速
yum-config-manager \
--add-repo \
http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 3、更新yum软件包索引
yum makecache fast
# 4、k8s需要指定版本号!安装docker相关引擎 docker-ce 社区版 ee企业版
yum install -y docker-ce-20.10.7 docker-ce-cli-20.10.7 containerd.io-1.4.6
参考:docker详情文章内容
- 启动docker 开机自启
systemctl enable docker --now - 配置加速:创建daemon.json文件,该文件中参数会在启动时执行,默认是没有该文件的需要自己创建。如果这里有目前需要的参数详解(这里只列出目前使用的,还有很多参数可以自己查看官方文档):
registry-mirrors:设置镜像加速
exec-opts:运行时执行选项
log-driver:容器日志的默认驱动程序(默认为“ json-file”)
log-opts:存储驱动程序选项
storage-driver:用来管理镜像和容器的存储驱动程序,
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://******* .mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver":"overlay2"
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
如果这里有报错问题,检查一下文件中是否编写符合规范,比如-写成了.,逗号落下等,没有的话再看一下/lib/systemd/system/docker.service里是否有重复内容而导致冲突。
# 设置系统时区为 中国/上海
timedatectl set-timezone Asia/Shanghai
# 将当前的UTC时间写入硬件时钟
timedatectl set-local-rtc 0
# 重启依赖于系统时间的服务
systemctl restart rsyslog
systemctl restart crond
#关闭系统不需要的服务
systemctl stop postfix && systemctl disable postfix
#日志操作:
mkdir /var/log/journal # 持久化保存日志的目录
mkdir /etc/systemd/journald.conf.d
cat > /etc/systemd/journald.conf.d/99-prophet.conf <<EOF
[Journal]
# 持久化保存到磁盘
Storage=persistent
# 压缩历史日志
Conpress=yes
SyncIntervalSec=5m
RateLimitInterval=30s
RateLimitBurst=1000
# 最大占用空间 10G
SystemMaxUse=10G
# 单日志文件最大 200M
SystemMaxFileSize=200M
# 日志保存时间2周
MaxRetentionSec=2week
# 不将日志转发到syslog
ForwardToSyslog=no
EOF
#重启生效
systemctl restart systemd-journald
#CentOS 7.x系统自带的3.10x内核存在一些Bugs,导致运行的Docker、Kubernetes不稳定。
rpm -Uvh http://mirror.ventraip.net.au/elrepo/elrepo/el7/x86_64/RPMS/elrepo-release-7.0-4.el7.elrepo.noarch.rpm
# 安装完成后检查 /boot/grub2/grub.cfg 中对应内核 menuentry 中是否包含 initrd16 配置,如果没有,再安装一次
yum --enablerepo=elrepo-kernel install -y kernel-lt
# 设置开机从新内核启动
grub2-set-default "CentOS Linux (4.4.182-1.el7.elrepo.x86_64) 7 (Core)"
检测:
[root@k8s-master01 ~]# uname -r
4.4.237-1.el7.elrepo.x86_64
4、关于iptables和ipvs
- iptables处理流程:kube-proxy监听apiserver里的service和endpoint(存储在etcd中,用来记录一个service对应的所有pod的访问地址)生成一个有序的iptables规则,每条规则对应一个pod,然后随机重定向到一个pod上,如果第一个pod挂掉,则会重试另一个。这种iptables记录pod和对应ip的方法有很大弊端,当集群模式下,如果我们有2000个服务并且每个服务有10个 pod,这将在每个工作节点上至少产生20000个 iptable 记录。
- ipvs处理规则:kube-proxy监听API Server中service和endpoint的变化情况,调用netlink接口创建相应的ipvs规则,并定期将ipvs规则与Services和Endpoints同步。保证IPVS状态。IPVS代理模式基于netfilter hook函数,该函数类似于iptables模式,但使用hash表作为底层数据结构,在内核空间中工作。这意味着IPVS模式下的kube-proxy使用更低的重定向流量。其同步规则的效率和网络吞吐量也更高。
- ipvs 为大型集群提供了更好的可扩展性和性能
- ipvs 支持比 iptables 更复杂的负载均衡算法(最小负载、最少连接、加权等等)
- ipvs 支持服务器健康检查和连接重试等功能
- iptables创建规则基于内核规则列表,ipvs基于netlink接口
- 如果没有加载并启用ipvs模块,或者没有配置ipvs相关配置,则会被降级成iptables模式。
- kube-proxy开启ipvs的前置条件
#安装ipvs
yum -y install ipvsadm
#使得配置文件生效
modprobe br_netfilter
#配置ipvs文件
cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4
5、安装kubelet、kubeadm、kubectl
- 下载资源
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF
sudo yum install -y kubelet-1.20.9 kubeadm-1.20.9 kubectl-1.20.9 --disableexcludes=kubernetes
sudo systemctl enable --now kubelet
- 修改kublete启动参数
# 此文件安装kubeadm后就存在了
vim /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
# 注意,这步很重要,如果不做,节点仍然会使用内网IP注册进集群,文件里会发现有两个ExecStart,千万不要改!!只需要在最后一个末尾添加空格 --node-ip=<公网IP>
# 在末尾添加参数 --node-ip=公网IP
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS --node-ip=<公网IP>
#ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS --node-ip=182.92.128.93
6、使用kubeadm引导集群
- 下载各个机器所需要的镜像
节点中除了kubelet其他的组件都是以容器方式下载,所以需要先下载一下镜像。
sudo tee ./images.sh <<-'EOF'
#!/bin/bash
images=(
kube-apiserver:v1.20.9
kube-proxy:v1.20.9
kube-controller-manager:v1.20.9
kube-scheduler:v1.20.9
coredns:1.7.0
etcd:3.4.13-0
pause:3.2
)
for imageName in ${images[@]} ; do
docker pull registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/$imageName
done
EOF
chmod +x ./images.sh && ./images.sh
- 修改主节点(只在master节点上执行!!!)
找到master中的ip虚拟ip地址ip a
配置文件:
# 添加配置文件,注意替换下面的IP
cat > kubeadm-config.yaml <<EOF
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.20.9
apiServer:
certSANs:
- master #请替换为hostname
- xx.xx.xx.xx #请替换为公网IP
- xx.xx.xx.xx #请替换为私网IP
- 10.96.0.1
controlPlaneEndpoint: xx.xx.xx.xx:6443 #替换为公网IP
imageRepository: registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images
networking:
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
---
apiVersion: kubeproxy-config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
featureGates:
SupportIPVSProxyMode: true
mode: ipvs
EOF
cat > kubeadm-config.yaml <<EOF
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.20.9
apiServer:
certSANs:
- k8s-master
- 49.232.181.123
- 10.0.8.7
- 10.96.0.1
controlPlaneEndpoint: 49.232.181.123:6443
imageRepository: registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images
networking:
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
---
apiVersion: kubeproxy-config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
featureGates:
SupportIPVSProxyMode: true
mode: ipvs
EOF
#1.初始化主节点
sysctl -w net.ipv4.ip_forward=1
kubeadm init --config=kubeadm-config.yaml
安装过程中出现的问题:
[init] Using Kubernetes version: v1.20.9
[preflight] Running pre-flight checks
[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 20.10.7. Latest validated version: 19.03
[WARNING Hostname]: hostname "k8s-master" could not be reached
[WARNING Hostname]: hostname "k8s-master": lookup k8s-master on 183.60.83.19:53: no such host
error execution phase preflight: [preflight] Some fatal errors occurred:
[ERROR FileContent--proc-sys-net-ipv4-ip_forward]: /proc/sys/net/ipv4/ip_forward contents are not set to 1
[preflight] If you know what you are doing, you can make a check non-fatal with `--ignore-preflight-errors=...`
To see the stack trace of this error execute with --v=5 or higher
解决:sysctl -w net.ipv4.ip_forward=1
记录下一下文件
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:
kubeadm join 49.232.181.123:6443 --token f8v1ln.8ybsrc1uockwknns \
--discovery-token-ca-cert-hash sha256:cc9547cb6f6756377af6b6be6cbde82d95c98b99b1065f58365866abf2c467b7 \
--control-plane
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 49.232.181.123:6443 --token f8v1ln.8ybsrc1uockwknns \
--discovery-token-ca-cert-hash sha256:cc9547cb6f6756377af6b6be6cbde82d95c98b99b1065f58365866abf2c467b7
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
修改kube-apiserver参数:
# 修改两个信息,添加--bind-address和修改--advertise-address
vim /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.20.8:6443
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=xx.xx.xx.xx # 修改为公网IP
- --bind-address=0.0.0.0 # 新增参数
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --insecure-port=0
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
image: registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/kube-apiserver:v1.20.9
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
host: 10.0.20.8
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
name: kube-apiserver
readinessProbe:
failureThreshold: 3
httpGet:
host: 10.0.20.8
path: /readyz
port: 6443
scheme: HTTPS
periodSeconds: 1
timeoutSeconds: 15
resources:
requests:
cpu: 250m
startupProbe:
failureThreshold: 24
httpGet:
host: 10.0.20.8
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeMounts:
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/pki
name: etc-pki
readOnly: true
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
hostNetwork: true
priorityClassName: system-node-critical
volumes:
- hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
- hostPath:
path: /etc/pki
type: DirectoryOrCreate
name: etc-pki
- hostPath:
path: /etc/kubernetes/pki
type: DirectoryOrCreate
name: k8s-certs
status: {}
- 查看主节点是否配置成功
[root@k8s-master sysctl.d]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master NotReady control-plane,master 7m34s v1.20.9
主节点配置成功!!
- 安装网络组件-flannel
# 1、下载flannel配置文件
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
修改配置
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: psp.flannel.unprivileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
privileged: false
volumes:
- configMap
- secret
- emptyDir
- hostPath
allowedHostPaths:
- pathPrefix: "/etc/cni/net.d"
- pathPrefix: "/etc/kube-flannel"
- pathPrefix: "/run/flannel"
readOnlyRootFilesystem: false
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
fsGroup:
rule: RunAsAny
allowPrivilegeEscalation: false
defaultAllowPrivilegeEscalation: false
allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
defaultAddCapabilities: []
requiredDropCapabilities: []
hostPID: false
hostIPC: false
hostNetwork: true
hostPorts:
- min: 0
max: 65535
seLinux:
rule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['psp.flannel.unprivileged']
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flannel
namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
namespace: kube-system
labels:
tier: node
app: flannel
data:
cni-conf.json: |
{
"name": "cbr0",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
net-conf.json: |
{
"Network": "10.244.0.0/16",
"Backend": {
"Type": "vxlan"
}
}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds
namespace: kube-system
labels:
tier: node
app: flannel
spec:
selector:
matchLabels:
app: flannel
template:
metadata:
labels:
tier: node
app: flannel
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
hostNetwork: true
priorityClassName: system-node-critical
tolerations:
- operator: Exists
effect: NoSchedule
serviceAccountName: flannel
initContainers:
- name: install-cni-plugin
image: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0
command:
- cp
args:
- -f
- /flannel
- /opt/cni/bin/flannel
volumeMounts:
- name: cni-plugin
mountPath: /opt/cni/bin
- name: install-cni
image: rancher/mirrored-flannelcni-flannel:v0.18.1
command:
- cp
args:
- -f
- /etc/kube-flannel/cni-conf.json
- /etc/cni/net.d/10-flannel.conflist
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: flannel-cfg
mountPath: /etc/kube-flannel/
containers:
- name: kube-flannel
image: rancher/mirrored-flannelcni-flannel:v0.18.1
command:
- /opt/bin/flanneld
args:
- --ip-masq
- --kube-subnet-mgr
resources:
requests:
cpu: "100m"
memory: "50Mi"
limits:
cpu: "100m"
memory: "50Mi"
securityContext:
privileged: false
capabilities:
add: ["NET_ADMIN", "NET_RAW"]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: EVENT_QUEUE_DEPTH
value: "5000"
volumeMounts:
- name: run
mountPath: /run/flannel
- name: flannel-cfg
mountPath: /etc/kube-flannel/
- name: xtables-lock
mountPath: /run/xtables.lock
volumes:
- name: run
hostPath:
path: /run/flannel
- name: cni-plugin
hostPath:
path: /opt/cni/bin
- name: cni
hostPath:
path: /etc/cni/net.d
- name: flannel-cfg
configMap:
name: kube-flannel-cfg
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
docker运行的应用叫容器,k8s里叫pod
#查看pod状态
kubectl get pod -A
#查看nodes状态
kubectl get nodes
kube-system kube-flannel-ds-265kg 1/1 Running 0 113s
- 工作节点加入master节点,tocken过期重新生成:
#master执行:
kubeadm token create --print-join-command
#我的结果:kubeadm join 49.232.181.123:6443 --token 3685xd.kxfcfxv94fgdom59 --discovery-token-ca-cert-hash sha256:cc9547cb6f6756377af6b6be6cbde82d95c98b99b1065f58365866abf2c467b7
#执行以上步骤打印出的内容
kubeadm join 49.232.181.123:6443 --token 3685xd.kxfcfxv94fgdom59 --discovery-token-ca-cert-hash sha256:cc9547cb6f6756377af6b6be6cbde82d95c98b99b1065f58365866abf2c467b7
849
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
