一:k8s二进制安装之基础配置
参考文档:https://blog.csdn.net/qq_27706119/article/details/119462965
1.1:准备环境
软件环境:
软件 | 版本 |
---|---|
操作系统 | centos7.9 |
Docker | 19-ce |
kubernetes | 18.0 |
服务器整体规划
角色 | IP | 组件 |
---|---|---|
k8s-master1 | 192.168.3.215 | kube-apiserver,kube-controller-manager,kube-scheduler,etcd,kube-proxy,docker,kubelet |
k8s-node1 | 192.168.3.214 | docker,kube-proxy,kubelet,etcd |
k8s-node2 | 192.168.3.216 | docker,kube-proxy,kubelet,etcd |
协议 | 端口号 | K8S集群 |
---|---|---|
TCP | 2376 | 主机驱动与Docker守护进程通信的TLS端口 |
TCP | 2379 | etcd客户端请求 |
TCP | 2380 | etcd节点通信 |
TCP | 10251 | Schedule |
TCP | 10252 | Controller Manager |
TCP | 10254 | lngress controller健康检查 |
TCP | 6443 | Kubernetes API Server(HTTPS安全端口号) |
TCP | 8080 | Kubernetes API Server(HTTP非安全端口号) |
TCP | 10250 /10255 | kubelet APl/kubelet APl 只读端口号 |
1.2:操作系统初始化配置
# 关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
# 关闭selinux
sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久
setenforce 0 # 临时
# 关闭swap
swapoff -a # 临时
sed -ri 's/.*swap.*/#&/' /etc/fstab # 永久
# 根据规划设置主机名
hostnamectl set-hostname <hostname>
# 在master添加hosts
cat >> /etc/hosts << EOF
192.168.3.215 k8s-master
192.168.3.214 k8s-node1
192.168.3.216 k8s-node2
EOF
# 将桥接的IPv4流量传递到iptables的链
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system # 生效
# 时间同步
yum install ntpdate -y
ntpdate time.windows.com
#重启主机
reboot
二:部署etcd集群
基本规划
Etcd 是一个分布式键值存储系统,Kubernetes使用Etcd进行数据存储,所以先准备一个Etcd数据库,为解决Etcd单点故障,应采用集群方式部署,这里使用3台组建集群,可容忍1台机器故障,当然,你也可以使用5台组建集群,可容忍2台机器故障。
etcd-1 | 192.168.3.214 |
---|---|
etcd-2 | 192.168.3.215 |
etcd-3 | 192.168.3.216 |
2.1:准备cfssl证书生成工具
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 --no-check-certificate
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 --no-check-certificate
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 --no-check-certificate
chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
mv cfssl_linux-amd64 /usr/bin/cfssl
mv cfssljson_linux-amd64 /usr/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
2.2:生成etcd证书
2.2.1:自签证书颁发机构(CA)
2.2.1.1:创建工作目录
mkdir -p ~/TLS/{etcd,k8s}
2.2.1.2:自签CA:
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"www": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "etcd CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing"
}
]
}
EOF
2.2.1.3:生成证书:
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
查看证书
[root@k8s-master etcd]# ls *.pem
ca-key.pem ca.pem
2.2.2:使用自签CA签发Etcd HTTPS 证书
2.2.2.1:创建证书申请文件
cat > server-csr.json << EOF
{
"CN": "etcd",
"hosts": [
"192.168.3.214",
"192.168.3.215",
"192.168.3.216"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing"
}
]
}
EOF
2.2.2.2:生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
查看证书
[root@k8s-master etcd]# ls server*.pem
server-key.pem server.pem
2.3:下载etcd二进制文件
下载地址:https://github.com/etcd-io/etcd/releases/download/v3.3.10/etcd-v3.3.10-linux-amd64.tar.gz
2.4:部署etcd集群
以下在节点1上操作,为简化操作,待会将节点1生成的所有文件拷贝到节点2和节点3.
2.4.1:创建工作目录并解压二进制包
mkdir /opt/etcd/{bin,cfg,ssl} -p
tar zxvf etcd-v3.3.10-linux-amd64.tar.gz
mv etcd-v3.3.10-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
2.4.2:创建etcd配置文件:
[root@k8s-master ~]# cat /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.3.215:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.3.215:2379"
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.3.215:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.3.215:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.3.215:2380,etcd-2=https://192.168.3.216:2380,etcd-3=https://192.168.3.214:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
参数说明:
ETCD_NAME:节点名称,集群中唯一
ETCD_DATA_DIR:数据目录
ETCD_LISTEN_PEER_URLS:集群通信监听地址
ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
ETCD_INITIAL_CLUSTER:集群节点地址
ETCD_INITIAL_CLUSTER_TOKEN:集群Token
ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群
2.4.3:systemd管理etcd
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
2.4.4:拷贝刚才生成的证书
cp ~/TLS/etcd/ca*pem ~/TLS/etcd/server*pem /opt/etcd/ssl/
2.4.5:启动并设置为开启自启动
systemctl daemon-reload
systemctl start etcd
systemctl enable etcd
2.4.6:将上面节点1所有生成的文件拷贝到节点2和节点3
scp -r /opt/etcd/ root@192.168.3.214:/opt/
scp /usr/lib/systemd/system/etcd.service root@192.168.3.214:/usr/lib/systemd/system/
scp -r /opt/etcd/ root@192.168.3.216:/opt/
scp /usr/lib/systemd/system/etcd.service root@192.168.3.216:/usr/lib/systemd/system/
2.4.7:修改etcd.conf配置文件中的节点名称和当前服务器IP
#[Member]
ETCD_NAME="etcd-1" # 修改此处,节点2改为etcd-2,节点3改为etcd-3
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.3.215:2380" # 修改此处为当前服务器IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.3.215:2379" # 修改此处为当前服务器IP
#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.3.215:2380" # 修改此处为当前服务器IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.3.215:2379" # 修改此处为当前服务器IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.3.215:2380,etcd-2=https://192.168.3.215:2380,etcd-3=https://192.168.3.215:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
2.4.8:查看集群状态
[root@k8s-master ~]# ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.3.214:2379,https://192.168.3.215:2379,https://192.168.3.216:2379" endpoint health
https://192.168.3.216:2379 is healthy: successfully committed proposal: took = 911.485µs
https://192.168.3.215:2379 is healthy: successfully committed proposal: took = 1.134823ms
https://192.168.3.214:2379 is healthy: successfully committed proposal: took = 1.134823ms
2.4.9:etcd集群安装完成
三:安装docker
下载地址:https://download.docker.com/linux/static/stable/x86_64/docker-19.03.9.tgz
有几个节点,装几个节点
3.1:解压二进制包:
tar zxvf docker-19.03.9.tgz
mv docker/* /usr/bin
3.2:systemd管理docker
cat > /usr/lib/systemd/system/docker.service << EOF
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
[Service]
Type=notify
ExecStart=/usr/bin/dockerd
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
[Install]
WantedBy=multi-user.target
EOF
3.3:创建配置文件
mkdir /etc/docker
cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"]
}
EOF
3.4:启动并配置开机启动
systemctl daemon-reload
systemctl start docker
systemctl enable docker
四:部署Master Node
4.1:生成kube-apiserver证书
4.1.1:自签证书颁发机构(CA)
cd TLS/k8s
cat > ca-config.json << EOF
{
"signing": {
"default": {
"expiry": "87600h"
},
"profiles": {
"kubernetes": {
"expiry": "87600h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
EOF
cat > ca-csr.json << EOF
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "Beijing",
"ST": "Beijing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
生成证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
ls *pem
ca-key.pem ca.pem
4.1.2:使用自签CA签发kube-apiserver HTTPS证书
创建证书申请文件:
cd TLS/k8s
cat > server-csr.json << EOF
{
"CN": "kubernetes",
"hosts": [
"10.0.0.1",
"127.0.0.1",
"192.168.3.214",
"192.168.3.215",
"192.168.3.216",
"192.168.3.217",
"192.168.3.218",
"192.168.3.219",
"192.168.3.220",
"192.168.3.221",
"192.168.3.222",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
注:上述文件hosts字段中IP为所有Master/LB/VIP IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP。
4.1.3:生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
ls server*pem
server-key.pem server.pem
4.2 从Github下载二进制文件
下载地址: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1183
4.3:解压二进制包
mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}
tar zxvf kubernetes-server-linux-amd64.tar.gz
cd kubernetes/server/bin
cp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bin
cp kubectl /usr/bin/
4.4:部署kube-apiserver
4.4.1:创建配置文件
cat > /opt/kubernetes/cfg/kube-apiserver.conf << EOF
KUBE_APISERVER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/logs \
--etcd-servers=https://192.168.3.215:2379,https://192.168.3.216:2379,https://192.168.3.214:2379 \
--bind-address=192.168.3.215 \
--secure-port=16443 \
--advertise-address=192.168.3.215 \
--allow-privileged=true \
--service-cluster-ip-range=10.0.0.0/24 \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \
--authorization-mode=RBAC,Node \
--enable-bootstrap-token-auth=true \
--token-auth-file=/opt/kubernetes/cfg/token.csv \
--service-node-port-range=30000-32767 \
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \
--tls-cert-file=/opt/kubernetes/ssl/server.pem \
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/etcd/ssl/ca.pem \
--etcd-certfile=/opt/etcd/ssl/server.pem \
--etcd-keyfile=/opt/etcd/ssl/server-key.pem \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
--insecure-port=8088 \
--logtostderr=false: 将日志输出到文件而不是标准输出。
--v=2: 日志级别,2 表示 Info 级别。
--log-dir=/opt/kubernetes/logs: 指定日志文件的输出目录。
--etcd-servers=https://192.168.3.215:2379,https://192.168.3.216:2379,https://192.168.3.214:2379: 指定 Kubernetes API Server 用来连接 etcd 集群的地址,多个地址之间用逗号分隔。
--bind-address=192.168.242.51: 指定 API Server 监听的 IP 地址。
--secure-port=6443: 指定 Kubernetes API Server 监听的端口,默认为 6443。
--advertise-address=192.168.242.51: 指定 API Server 的访问地址,用于和其他组件通信。
--allow-privileged=true: 允许容器使用特权模式,默认为 true。
--service-cluster-ip-range=10.0.0.0/24: 指定 Service IP 地址段,通过此 IP 地址段进行 Service 的请求转发。
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction: 启用 Admission Controller 插件,决策 Kubernetes API Server 是否能够创建和更新资源对象。
--authorization-mode=RBAC,Node: 指定授权模式,RBAC 表示使用 Role-Based Access Control 进行授权,Node 表示使用节点名称进行授权。
--enable-bootstrap-token-auth=true: 允许使用 Bootstrap Token 进行身份验证。
--token-auth-file=/opt/kubernetes/cfg/token.csv: 指定 Token 文件的存放路径。
--service-node-port-range=30000-32767: 指定节点端口范围,用于 NodePort 类型的 Service。
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem: 指定 API Server 向 kubelet 发送请求时使用的客户端证书。
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem: 指定客户端证书的私钥。
--tls-cert-file=/opt/kubernetes/ssl/server.pem: 指定 API Server 的 TLS 证书文件。
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem: 指定 TLS 证书的私钥文件。
--client-ca-file=/opt/kubernetes/ssl/ca.pem: 指定客户端证书颁发机构的证书,用于验证客户端证书的有效性。
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem: 指定 Service Account 的私钥文件。
--service-account-issuer=api: 指定发出 Service Account Token 的 Issuer。
--service-account-signing-key-file=/opt/kubernetes/ssl/server-key.pem: 指定 Service Account Token 签名密钥文件。
--etcd-cafile=/opt/etcd/ssl/ca.pem: 指定 etcd 集群 CA 证书文件。
--etcd-certfile=/opt/etcd/ssl/server.pem: 指定 etcd 集群客户端证书文件。
--etcd-keyfile=/opt/etcd/ssl/server-key.pem: 指定 etcd 集群客户端证书的私钥文件。
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem: 指定客户端请求 API Server 使用的 CA 证书。
--proxy-client-cert-file=/opt/kubernetes/ssl/server.pem: 指定 kube-proxy 向 API Server 发送请求时使用的客户端证书。
--proxy-client-key-file=/opt/kubernetes/ssl/server-key.pem: 指定客户端证书的私钥。
--requestheader-allowed-names=kubernetes: 指定允许通过请求头的用户和组。
--requestheader-extra-headers-prefix=X-Remote-Extra-: 指定额外的请求头前缀,用于传递额外的信息。
--requestheader-group-headers=X-Remote-Group: 指定保存在请求头中用户所属组信息的键名。
--requestheader-username-headers=X-Remote-User: 指定保存在请求头中用户名信息的键名。
--enable-aggregator-routing=true: 启用 kube-aggregator 插件。
--audit-log-maxage=30: 指定审计日志保留的时间,单位天
--audit-log-maxbackup=3: 指定审计日志保留的个数。
--audit-log-maxsize=100: 指定审计日志文件的最大大小,单位为 MB。
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log: 指定审计日志输出的路径。
4.4.2:拷贝刚才生成的证书
把刚才生成的证书拷贝到配置文件中的路径:
cp ~/TLS/k8s/ca*pem ~/TLS/k8s/server*pem /opt/kubernetes/ssl/
4.4.3:启用TLS Bootstrapping 机制
TLS Bootstraping:Master apiserver启用TLS认证后,Node节点kubelet和kube-proxy要与kube-apiserver进行通信,必须使用CA签发的有效证书才可以,当Node节点很多时,这种客户端证书颁发需要大量工作,同样也会增加集群扩展复杂度。
为了简化流程,Kubernetes引入了TLS bootstraping机制来自动颁发客户端证书,kubelet会以一个低权限用户自动向apiserver申请证书,kubelet的证书由apiserver动态签署。
所以强烈建议在Node上使用这种方式,目前主要用于kubelet,kube-proxy还是由我们统一颁发一个证书。
4.4.3.1:TLS bootstraping 工作流程
创建上述配置文件中token文件:
cat > /opt/kubernetes/cfg/token.csv << EOF
c47ffb939f5ca36231d9e3121a252940,kubelet-bootstrap,10001,"system:node-bootstrapper"
EOF
格式:token,用户名,UID,用户组
token也可自行生成替换:head -c 16 /dev/urandom | od -An -t x | tr -d ’ ’
4.4.4:systemd管理apiserver
cat > /usr/lib/systemd/system/kube-apiserver.service << EOF
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf
ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
4.4.5:启动并设置开机启动
systemctl daemon-reload
systemctl start kube-apiserver
systemctl enable kube-apiserver
4.4.6:授权kubelet-bootstrap用户允许请求证书
创建 admin 证书签名请求
vim admin-csr.json
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
生成 admin 证书和私钥:
[root@k8s-master1 src]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem -ca-key=/opt/kubernetes/ssl/ca-key.pem -config=/opt/kubernetes/ssl/ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin
cp admin*.pem /opt/kubernetes/ssl/
设置集群参数:
master:
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://192.168.3.215:6443
设置客户端认证参数:
[root@k8s-master1 src]# kubectl config set-credentials admin \
--client-certificate=/opt/kubernetes/ssl/admin.pem \
--embed-certs=true \
--client-key=/opt/kubernetes/ssl/admin-key.pem
设置上下文参数
[root@k8s-master1 src]# kubectl config set-context kubernetes \
--cluster=kubernetes --user=admin --user=admin
Context "kubernetes" created.
设置默认上下文
[root@k8s-master1 src]# kubectl config use-context kubernetes
Switched to context "kubernetes".
角色绑定:
[root@k8s-master1 src]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
4.5:部署kube-controller-manager
4.5.1:创建配置文件
cat > /opt/kubernetes/cfg/kube-controller-manager.conf << EOF
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--leader-elect=true \\
--master=127.0.0.1:8080 \\
--bind-address=127.0.0.1 \\
--allocate-node-cidrs=true \\
--cluster-cidr=10.244.0.0/16 \\
--service-cluster-ip-range=10.0.0.0/24 \\
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--root-ca-file=/opt/kubernetes/ssl/ca.pem \\
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\
--experimental-cluster-signing-duration=87600h0m0s"
EOF
–master:通过本地非安全本地端口8080连接apiserver。
–leader-elect:当该组件启动多个时,自动选举(HA)
–cluster-signing-cert-file/–cluster-signing-key-file:自动为kubelet颁发证书的CA,与apiserver保持一致
4.5.2:systemd管理controller-manager
cat > /usr/lib/systemd/system/kube-controller-manager.service << EOF
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf
ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
4.5.3:启动并设置开机启动
systemctl daemon-reload
systemctl start kube-controller-manager
systemctl enable kube-controller-manager
4.6 部署kube-scheduler
4.6.1:创建配置文件
cat > /opt/kubernetes/cfg/kube-scheduler.conf << EOF
KUBE_SCHEDULER_OPTS="--logtostderr=false \
--v=2 \
--log-dir=/opt/kubernetes/logs \
--leader-elect \
--master=127.0.0.1:8080 \
--bind-address=127.0.0.1"
EOF
–master:通过本地非安全本地端口8080连接apiserver。
–leader-elect:当该组件启动多个时,自动选举(HA)
4.6.2:systemd管理scheduler
cat > /usr/lib/systemd/system/kube-scheduler.service << EOF
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf
ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
4.6.3:启动并设置开机启动
systemctl daemon-reload
systemctl start scheduler
systemctl enable scheduler
4.6.4:查看集群状态
[root@k8s-master cfg]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-1 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"}
五:部署Worker Node
5.1: 创建工作目录并拷贝二进制文件
在所有worker node创建工作目录:
mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}
从master节点拷贝:
cd kubernetes/server/bin
cp kubelet kube-proxy /opt/kubernetes/bin # 本地拷贝
5.2: 部署kubelet
5.2.1:创建配置文件
cat > /opt/kubernetes/cfg/kubelet.conf << EOF
KUBELET_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--hostname-override=k8s-master \\
--network-plugin=cni \\
--kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\
--bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\
--config=/opt/kubernetes/cfg/kubelet-config.yml \\
--cert-dir=/opt/kubernetes/ssl \\
--pod-infra-container-image=lizhenliang/pause-amd64:3.0"
EOF
–hostname-override:显示名称,集群中唯一
–network-plugin:启用CNI
–kubeconfig:空路径,会自动生成,后面用于连接apiserver #注意事项:这个文件kubelet.kubeconfig是5.3章批准加入之后才自动生成的
–bootstrap-kubeconfig:首次启动向apiserver申请证书
–config:配置参数文件
–cert-dir:kubelet证书生成目录
–pod-infra-container-image:管理Pod网络容器的镜像
5.2.2:配置参数文件
cat > /opt/kubernetes/cfg/kubelet-config.yml << EOF
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
cgroupDriver: cgroupfs
clusterDNS:
- 10.0.0.2
clusterDomain: cluster.local
failSwapOn: false
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /opt/kubernetes/ssl/ca.pem
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
evictionHard:
imagefs.available: 15%
memory.available: 100Mi
nodefs.available: 10%
nodefs.inodesFree: 5%
maxOpenFiles: 1000000
maxPods: 110
EOF
5.2.3:生成bootstrap.kubeconfig文件
# apiserver IP:PORT
KUBE_APISERVER=“https://192.168.3.215:6443”
# 与token.csv里保持一致
TOKEN=“c47ffb939f5ca36231d9e3121a252940”
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server="https://192.168.3.215:6443"** \
--kubeconfig=bootstrap.kubeconfig
kubectl config set-credentials "kubelet-bootstrap" \
--token="c47ffb939f5ca36231d9e3121a252940"** \
--kubeconfig=bootstrap.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user="kubelet-bootstrap" \
--kubeconfig=bootstrap.kubeconfig
kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
Kubernetes 配置文件通常位于 ~/.kube/config,它包含了连接到 Kubernetes 集群所需的信息,如集群的地址、认证凭据、上下文等。
可在/etc/profile添加变量export KUBECONFIG=/root/.kube/config1 更改配置文件引用,source变量即时生效。
以下是 kubectl config 命令中一些常用的子命令和功能:
kubectl config view:查看当前配置文件的内容。可以显示当前使用的上下文、集群、用户等信息。
kubectl config get-contexts:获取所有的上下文列表,显示当前可用的上下文及其所关联的集群和用户。
kubectl config use-context <context-name>:设置当前使用的上下文。通过指定上下文名称,可以切换到不同的 Kubernetes 集群。
kubectl config set-context <context-name> --cluster=<cluster-name> --user=<user-name> --namespace=<namespace>:创建或修改上下文。可以设置不同的集群、用户和命名空间来定位到特定的环境。
kubectl config delete-context <context-name>:删除指定的上下文。
kubectl config set-cluster <cluster-name> --server=<server-url> --certificate-authority=<ca-file>:设置集群连接信息,包括集群名称、服务器地址和证书等。
kubectl config set-credentials <user-name> --username=<username> --password=<password>:设置用户认证凭据,包括用户名和密码。
kubectl config set-credentials <user-name> --client-certificate=<cert-file> --client-key=<key-file>:设置用户认证凭据,使用客户端证书和密钥。
通过 kubectl config 命令,你可以轻松管理和配置 Kubernetes 集群的连接信息、凭据和上下文等内容,方便在不同环境中切换和操作 Kubernetes 集群。
cp bootstrap.kubeconfig /opt/kubernetes/cfg
5.2.4:systemd管理kubelet
cat > /usr/lib/systemd/system/kubelet.service << EOF
[Unit]
Description=Kubernetes Kubelet
After=docker.service
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kubelet.conf
ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
5.2.5:启动并设置为开机启动
systemctl daemon-reload
systemctl start kubelet
systemctl enable kubelet
5.3 批准kubelet证书申请并加入集群
5.3.1:查看kubelet证书请求
kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
node-csr-uCEGPOIiDdlLODKts8J658HrFq9CZ--K6M4G7bjhk8A 6m3s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending
5.3.2:批准申请
kubectl certificate approve node-csr-uCEGPOIiDdlLODKts8J658HrFq9CZ--K6M4G7bjhk8A
5.3.3:查看节点
kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master NotReady <none> 7s v1.18.0
注:由于网络插件还没有部署,节点会没有准备就绪 NotReady
5.4:部署kube-proxy
5.4.1:创建配置文件
cat > /opt/kubernetes/cfg/kube-proxy.conf << EOF
KUBE_PROXY_OPTS="--logtostderr=false \\
--v=2 \\
--log-dir=/opt/kubernetes/logs \\
--config=/opt/kubernetes/cfg/kube-proxy-config.yml"
EOF
5.4.2:配置参数文件
cat > /opt/kubernetes/cfg/kube-proxy-config.yml << EOF
kind: KubeProxyConfiguration
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
metricsBindAddress: 0.0.0.0:10249
clientConnection:
kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig
hostnameOverride: k8s-master
clusterCIDR: 10.0.0.0/24
EOF
5.4.3:生成kube-proxy.kubeconfig文件
生成kube-proxy文件
cd TLS/k8s
创建证书请求
cat > kube-proxy-csr.json << EOF
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
EOF
生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
ls kube-proxy*pem
kube-proxy-key.pem kube-proxy.pem
生成kubeconfig文件
kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server="https://192.168.3.215:6443" \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-credentials kube-proxy \
--client-certificate=./kube-proxy.pem \
--client-key=./kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
拷贝到配置文件指定路径:
cp kube-proxy.kubeconfig /opt/kubernetes/cfg/
5.4.4:systemd管理kube-proxy
cat > /usr/lib/systemd/system/kube-proxy.service << EOF
[Unit]
Description=Kubernetes Proxy
After=network.target
[Service]
EnvironmentFile=/opt/kubernetes/cfg/kube-proxy.conf
ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
5.4.5:启动并开机启动
systemctl daemon-reload
systemctl start kube-proxy
systemctl enable kube-proxy
5.5:部署CNI网络
5.5.1:部署flannel
先准备好CNI二进制文件:
下载地址:https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-amd64-v0.8.6.tgz
解压二进制包并移动到默认工作目录:
mkdir /opt/cni/bin
tar zxvf cni-plugins-linux-amd64-v0.8.6.tgz -C /opt/cni/bin
部署CNI网络:
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
sed -i -r "s#quay.io/coreos/flannel:.*-amd64#lizhenliang/flannel:v0.12.0-amd64#g" kube-flannel.yml
kubectl apply -f kube-flannel.yml
5.5.2:部署calico
wget https://docs.projectcalico.org/v3.18/manifests/calico.yaml --no-check-certificate
修改配置文件中的pod网络
# - name: CALICO_IPV4POOL_CIDR
# value: "192.168.0.0/16"
#将这两行取消注释,然后将192.168.0.0/16这个网段替换成上方kube-controller-manager配置文件指定的cluster-cidr网段一样
kubectl apply -f calico.yaml
kubectl get pods -n kube-system
5.6:授权apiserver访问kubelet
cat > apiserver-to-kubelet-rbac.yaml << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-apiserver-to-kubelet
rules:
- apiGroups:
- ""
resources:
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
- nodes/metrics
- pods/log
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:kube-apiserver
namespace: ""
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-apiserver-to-kubelet
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubernetes
EOF
kubectl apply -f apiserver-to-kubelet-rbac.yaml
5.7:新增加Work Node
5.7.1:拷贝已部署好的Node相关文件到新节点
在master节点将Worker Node涉及文件拷贝到新节点192.168.3.214/24
scp /opt/kubernetes root@192.168.3.214:/opt/
scp -r /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@192.168.3.214:/usr/lib/systemd/system
scp -r /opt/cni/ root@192.168.3.214:/opt/
scp /opt/kubernetes/ssl/ca.pem root@192.168.3.214:/opt/kubernetes/ssl
5.7.2:删除kubelet证书和kubeconfig文件
rm /opt/kubernetes/cfg/kubelet.kubeconfig
rm -f /opt/kubernetes/ssl/kubelet*
注:这几个文件是证书申请审批后自动生成的,每个Node不同,必须删除重新生成。
5.7.3:修改主机名
vi /opt/kubernetes/cfg/kubelet.conf
--hostname-override=k8s-node1
vi /opt/kubernetes/cfg/kube-proxy-config.yml
hostnameOverride: k8s-node1
5.7.4. 启动并设置开机启动:
systemctl daemon-reload
systemctl start kubelet
systemctl enable kubelet
systemctl start kube-proxy
systemctl enable kube-proxy
5.7.5. 在Master上批准新Node kubelet证书申请
kubectl get csr
NAME AGE SIGNERNAME REQUESTOR CONDITION
node-csr-4zTjsaVSrhuyhIGqsefxzVoZDCNKei-aE2jyTP81Uro 89s kubernetes.io/kube-apiserver-client-kubelet kubelet-bootstrap Pending
kubectl certificate approve node-csr-4zTjsaVSrhuyhIGqsefxzVoZDCNKei-aE2jyTP81Uro
5.7.6:查看Node状态
kubectl get node
NAME STATUS ROLES AGE VERSION
k8s-master Ready <none> 65m v1.18.3
k8s-node1 Ready <none> 12m v1.18.3
k8s-node2 Ready <none> 81s v1.18.3
六:部署dashboard和CoreDNS
6.1:部署dashboard
$ wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml
默认Dashboard只能集群内部访问,修改Service为NodePort类型,暴露到外部:
vi recommended.yaml
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
nodePort: 30001
type: NodePort
selector:
k8s-app: kubernetes-dashboard
kubectl apply -f recommended.yaml
kubectl get pods,svc -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
pod/dashboard-metrics-scraper-694557449d-z8gfb 1/1 Running 0 2m18s
pod/kubernetes-dashboard-9774cc786-q2gsx 1/1 Running 0 2m19s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/dashboard-metrics-scraper ClusterIP 10.0.0.141 <none> 8000/TCP 2m19s
service/kubernetes-dashboard NodePort 10.0.0.239 <none> 443:30001/TCP 2m19s
访问地址:https://NodeIP:30001
创建service account并绑定默认cluster-admin管理员集群角色:
kubectl create serviceaccount dashboard-admin -n kube-system
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
6.2:部署CoreDNS
[root@k8s-master ~]# cat coredns.yaml
# Warning: This is a file generated from the base underscore template file: coredns.yaml.base
apiVersion: v1
kind: ServiceAccount
metadata:
name: coredns
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: Reconcile
name: system:coredns
rules:
- apiGroups:
- ""
resources:
- endpoints
- services
- pods
- namespaces
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: EnsureExists
name: system:coredns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:coredns
subjects:
- kind: ServiceAccount
name: coredns
namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
data:
Corefile: |
.:53 {
log
errors
health {
lameduck 5s
}
ready
kubernetes cluster.local in-addr.arpa ip6.arpa {
pods insecure
fallthrough in-addr.arpa ip6.arpa
ttl 30
}
prometheus :9153
forward . /etc/resolv.conf
cache 30
loop
reload
loadbalance
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "CoreDNS"
spec:
# replicas: not specified here:
# 1. In order to make Addon Manager do not reconcile this replicas parameter.
# 2. Default is 1.
# 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on.
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
selector:
matchLabels:
k8s-app: kube-dns
template:
metadata:
labels:
k8s-app: kube-dns
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec:
priorityClassName: system-cluster-critical
serviceAccountName: coredns
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
nodeSelector:
kubernetes.io/os: linux
containers:
- name: coredns
image: coredns/coredns:1.6.7
imagePullPolicy: IfNotPresent
resources:
limits:
memory: 512Mi
requests:
cpu: 100m
memory: 70Mi
args: [ "-conf", "/etc/coredns/Corefile" ]
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
readOnly: true
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
- containerPort: 9153
name: metrics
protocol: TCP
livenessProbe:
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 60
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
readinessProbe:
httpGet:
path: /ready
port: 8181
scheme: HTTP
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_BIND_SERVICE
drop:
- all
readOnlyRootFilesystem: true
dnsPolicy: Default
volumes:
- name: config-volume
configMap:
name: coredns
items:
- key: Corefile
path: Corefile
---
apiVersion: v1
kind: Service
metadata:
name: kube-dns
namespace: kube-system
annotations:
prometheus.io/port: "9153"
prometheus.io/scrape: "true"
labels:
k8s-app: kube-dns
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "CoreDNS"
spec:
selector:
k8s-app: kube-dns
clusterIP: 10.0.0.2
ports:
- name: dns
port: 53
protocol: UDP
- name: dns-tcp
port: 53
protocol: TCP
- name: metrics
port: 9153
protocol: TCP
#############################注意#####################################3
#212行 clusterIP: __DNS__SERVER__
修改后clusterIP: 10.0.0.2 #此为kubelet-config.yml中的clusterDNS地址
kubectl apply -f coredns.yaml
kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-5ffbfd976d-j6shb 1/1 Running 0 32s
kube-flannel-ds-amd64-2pc95 1/1 Running 0 38m
kube-flannel-ds-amd64-7qhdx 1/1 Running 0 15m
kube-flannel-ds-amd64-99cr8 1/1 Running 0 26m
DNS解析测试:
kubectl run -it --rm dns-test --image=busybox:1.28.4 sh
If you don't see a command prompt, try pressing enter.
/ # nslookup kubernetes
Server: 10.0.0.2
Address 1: 10.0.0.2 kube-dns.kube-system.svc.cluster.local
Name: kubernetes
Address 1: 10.0.0.1 kubernetes.default.svc.cluster.local
6.3:打标签
kubectl taint nodes k8s-master1 node-role.kubernetes.io/control-plane=:NoSchedule #为某个节点打上不可调度的标签
七:部署metrics-server
7.1:下载metrics-server文件
wget https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.6/components.yaml
7.2:修改配置文件
image: registry.aliyuncs.com/google_containers/metrics-server-amd64:v0.3.6 #修改为阿里云的镜像地址
args:
- --cert-dir=/tmp
- --secure-port=4443
- /metrics-server #新增
- --kubelet-preferred-address-types=InternalIP #新增
- --kubelet-insecure-tls #新增
ubernetes部署metrics-server后执行kubectl top pod或kubectl top node报错
Error from server (ServiceUnavailable): the server is currently unable to handle the request (get pods.metrics.k8s.io)
二进制部署Kubernetes安装metrics-server遇到的问题_kubernetes
一、问题检查步骤:
1.1、查看metrics-server服务日志
Cluster doesn't provide requestheader-client-ca-file in configmap/extension-apiserver-authentication in kube-system, so request-header client certificate authentication won't work.
1.2、检查是否配置了以下参数
args:
- --cert-dir=/tmp
- --secure-port=4443
- --kubelet-insecure-tls=true
- --kubelet-preferred-address-types=InternalIP,Hostname,InternalDNS,externalDNS
metrics-server服务配置是没有问题的,但服务依然报错 Error from server (ServiceUnavailable): the server is currently unable to handle the request (get pods.metrics.k8s.io),有两种方法可以解决问题
1、授权集群角色给用户system:anonymous
kubectl create clusterrolebinding system:anonymous --clusterrole=cluster-admin --user=system:anonymous
2、创建system:metrics-server角色并授权
二、问题解决(创建system:metrics-server角色并授权)
配置metrics-server证书
# vim metrics-server-csr.json
{
"CN": "system:metrics-server",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "system"
}
]
}
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes metrics-server-csr.json | cfssljson -bare metrics-server
配置metrics-server RBAC授权
cat > auth-metrics-server.yaml << EOF
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:auth-metrics-server-reader
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metrics-server:system:auth-metrics-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-metrics-server-reader
subjects:
- kind: User
name: system:metrics-server
namespace: kube-system
EOF
kube-apiserver添加metrics-server需要的配置
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem \
--requestheader-allowed-names=aggregator,metrics-server \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-group-headers=X-Remote-Group \
--requestheader-username-headers=X-Remote-User \
--proxy-client-cert-file=/opt/kubernetes/ssl/metrics-server.pem \
--proxy-client-key-file=/opt/kubernetes/ssl/metrics-server-key.pem
[root@k8s-master1 k8s]# kubectl top pod -A
NAMESPACE NAME CPU(cores) MEMORY(bytes)
kube-system calico-kube-controllers-7b5bcff94c-n5qmv 1m 28Mi
kube-system calico-node-np7x8 42m 108Mi
kube-system calico-node-pgb9c 43m 121Mi
kube-system calico-node-r4skv 41m 102Mi
kube-system coredns-5cf6c68f7f-mjhk6 4m 11Mi
kube-system metrics-server-57fcddf496-p8z9j 2m 11Mi
kubernetes-dashboard dashboard-metrics-scraper-694557449d-wbfhr 1m 9Mi
kubernetes-dashboard kubernetes-dashboard-9774cc786-v69r7 1m 13Mi
7.3:安装
kubectl apply -f components.yaml
7.4:查看
7.5:查看node/pod指标数据
7.6:编写HPA
[root@k8s-master hpa]# cat fronted.yaml
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: hpa-nginx
namespace: nginx-fronted
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: nginx-fronted
minReplicas: 2
maxReplicas: 5
targetCPUUtilizationPercentage: 50 #当Deployment中nginx-fronted pod的CPU利用率超过50%,则增加pod为5个
7.7:测试HPA
ab -c100 -n1000000 http://192.168.3.215:30083/ #ab 压测并发100 请求1000000
7.7.1:当pod的CPU利用率超过50%后
7.7.1.1:会加3个pod
7.7.2:当pod的CPU利用率降低到50%以下,会缩减pod
八:部署ingress-controller,实现域名访问
8.1:下载ingress-controller包
wget https://github.com/kubernetes/ingress-nginx/archive/refs/tags/nginx-0.20.0.zip
实际上,Ingress相当于一个7层的负载均衡器,是kubernetes对反向代理的一个抽象,它的工作原理类似于Nginx,可以理解成在Ingress里建立诸多映射规则,Ingress Controller通过监听这些配置规则并转化成Nginx的配置,然后对外部提供服务。在这里有两个核心概念:
Ingress: Kubernetes中的一个对象,作用是定义请求如何转发到service的规则
ingress controller:具体实现反向代理及负载均衡的程序,对ingress定义的规则进行解析,根据配置的规则来实现请求转发,实现方式有很多,比如Nginx,Contour,Haproxy等等
ingress(以nginx为例)的工作原理如下:
1,用户编写ingress规则,说明哪个域名对应kubernetes集群中的哪个service
2,Ingress控制器动态感知Ingress服务规则的变化,然后生成一段对应的Nginx反向代理配置
3,Ingress控制器会将生成的Nginx配置写入到一个运行着的Nginx服务中,并动态更新
4,到此为止,其实真正在工作的就是一个Nginx了,内部配置了用户定义的请求转发规则
8.2:修改配置文件
cat with-rbac.yaml
8.3:部署响应的组件
kubectl apply -f namespace.yaml -f configmap.yaml -f default-backend.yaml -f rbac.yaml -f with-rbac.yaml
8.4:查看响应组件是否正常
8.5:编写文件测试
[root@k8s-master ingress]# cat fronted-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: fronted-ingress
namespace: nginx-fronted
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: www.gf.com
http:
paths:
- path: /
backend:
serviceName: nginx-fronted-svc
servicePort: 80
lizationPercentage: 50 #当Deployment中nginx-fronted pod的CPU利用率超过50%,则增加pod为5个
### 7.7:测试HPA
ab -c100 -n1000000 http://192.168.3.215:30083/ #ab 压测并发100 请求1000000
### 7.7.1:当pod的CPU利用率超过50%后
[外链图片转存中...(img-f4SgOmip-1718675215342)]
#### 7.7.1.1:会加3个pod
[外链图片转存中...(img-hqXc4J9l-1718675215342)]
### 7.7.2:当pod的CPU利用率降低到50%以下,会缩减pod
[外链图片转存中...(img-V5sb0Jb4-1718675215343)]
# 八:部署ingress-controller,实现域名访问
## 8.1:下载ingress-controller包
**wget https://github.com/kubernetes/ingress-nginx/archive/refs/tags/nginx-0.20.0.zip**
```python
实际上,Ingress相当于一个7层的负载均衡器,是kubernetes对反向代理的一个抽象,它的工作原理类似于Nginx,可以理解成在Ingress里建立诸多映射规则,Ingress Controller通过监听这些配置规则并转化成Nginx的配置,然后对外部提供服务。在这里有两个核心概念:
Ingress: Kubernetes中的一个对象,作用是定义请求如何转发到service的规则
ingress controller:具体实现反向代理及负载均衡的程序,对ingress定义的规则进行解析,根据配置的规则来实现请求转发,实现方式有很多,比如Nginx,Contour,Haproxy等等
ingress(以nginx为例)的工作原理如下:
1,用户编写ingress规则,说明哪个域名对应kubernetes集群中的哪个service
2,Ingress控制器动态感知Ingress服务规则的变化,然后生成一段对应的Nginx反向代理配置
3,Ingress控制器会将生成的Nginx配置写入到一个运行着的Nginx服务中,并动态更新
4,到此为止,其实真正在工作的就是一个Nginx了,内部配置了用户定义的请求转发规则
[外链图片转存中…(img-n5yGtWcs-1718675215343)]
8.2:修改配置文件
cat with-rbac.yaml
[外链图片转存中…(img-jttm2Qi2-1718675215343)]
8.3:部署响应的组件
kubectl apply -f namespace.yaml -f configmap.yaml -f default-backend.yaml -f rbac.yaml -f with-rbac.yaml
8.4:查看响应组件是否正常
[外链图片转存中…(img-8rq8s2QF-1718675215343)]
8.5:编写文件测试
[root@k8s-master ingress]# cat fronted-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: fronted-ingress
namespace: nginx-fronted
annotations:
kubernetes.io/ingress.class: "nginx"
spec:
rules:
- host: www.gf.com
http:
paths:
- path: /
backend:
serviceName: nginx-fronted-svc
servicePort: 80
想要文档的可以联系作者