Kubernetes基于Centos7搭建

k8s 基本使用

CentOS7安装k8s

Centos7 k8s安装部署

centos7安装kubernetes k8s v1.16.0 国内环境

本demo是基于 Centos7 安装！

概述

系统环境

系统	内核	docker	ip	主机名	配置
CentOS 7.3.1611	3.10.0-514.26.2.el7.x86_64	19.03.12	192.168.133.120	k8s-centos7-master	2核2G
CentOS 7.3.1611	3.10.0-514.26.2.el7.x86_64	19.03.12	192.168.133.121	k8s-centos7-node1	2核2G

请确保 CPU 至少2核，内存2G

准备工作

1.关闭防火墙

systemctl stop firewalld
systemctl disable firewalld

2.禁用 SELINUX

# 临时禁用
setenforce 0
# 永久禁用 
vim /etc/selinux/config    # 或者修改/etc/sysconfig/selinux
SELINUX=disabled

3.修改k8s.conf文件

cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF

sysctl --system

4.关闭swap

# 临时关闭
swapoff -a

5.安装docker

这里就不再叙述了，请参考链接：

https://www.cnblogs.com/xiao987334176/p/11771657.html

6.修改主机名

hostnamectl set-hostname k8s-master

安装方法

yum安装：最简单，默认 1.5.2 版

编译安装：最难(大佬级别)，golang环境

二进制安装: 最繁琐

kubeadm: 官方安装（网络) kubelet 二进制，其他 k8s 组件全是容器。

minikube: 单机版,只适合体验

安装 kubeadm,kubelet,kubectl

在每个节点安装 kubeadm，kubelet，kubectl

修改 yum 安装源

cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

安装的版本是 1.16.0

yum install -y kubectl-1.16.0-0 kubeadm-1.16.0-0 kubelet-1.16.0-0

初始化 k8s

以下这个命令开始安装 k8s 需要用到的 docker 镜像，因为无法访问到国外网站，所以这条命令使用的是国内的阿里云源。另一个非常重要的是：这里的 --apiserver-advertise-address 使用的是 master 和 node 间能互相 ping 通的 ip，配置成自己机器的 ip。这条命令执行时会卡在[preflight] You can also perform this action in beforehand using ''kubeadm config images pull，大概需要2分钟，请耐心等待。

# 下载管理节点中用到的6个docker镜像，你可以使用docker images查看到
# 这里需要大概两分钟等待，会卡在[preflight] You can also perform this action in beforehand using ''kubeadm config images pull
kubeadm init --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.16.0 --apiserver-advertise-address 机器ip --pod-network-cidr=10.244.0.0/16 --token-ttl 0

上面安装完成后，会提示你执行如下命令

# 上面安装完成后，k8s会提示你输入如下命令，执行
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

使用 kubeadm 部署成功之后会出现以下命令，工作节点可以通过该命令加入集群

kubeadm join 192.168.133.120:6443 --token sgqu2a.9ge9zjfat41rtllf \
    --discovery-token-ca-cert-hash sha256:e2bd723807dcd8092c5fffc1e4e27b303fde044a01a0547a9dce8d8718f58b4d

安装 calico

calico 为容器和虚拟机工作负载提供一个安全的网络连接

calico 可以创建并管理一个 3 层平面网络，为每个工作负载分配一个完全可路由的 IP 地址。工作负载可以在没有IP封装或网络地址转换的情况下进行通信，以实现裸机性能，简化故障排除和提供更好的互操作性。 在需要使用overlay网络的环境中，Calico提供了IP-in-IP隧道技术，或者也可以与flannel等其他overlay网络配合使用。

Calico还提供网络安全规则的动态配置。 使用Calico的简单策略语言，就可以实现对容器、虚拟机工作负载和裸机主机各节点之间通信的细粒度控制。

获取安装文件

wget https://docs.projectcalico.org/v3.10/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml

将 192.168.0.0/16 修改 ip 地址为 10.244.0.0/16

sed -i 's/192.168.0.0/10.244.0.0/g' calico.yaml

加载 Calico

kubectl apply -f calico.yaml

等待几分钟,确保所有的 pod 都处于 Running 状态

[root@localhost dashboard]# kubectl get pod --all-namespaces -o wide
NAMESPACE     NAME                                         READY   STATUS    RESTARTS   AGE   IP               NODE                 NOMINATED NODE   READINESS GATES
kube-system   calico-kube-controllers-7994b948dd-7dgd8     1/1     Running   0          18h   10.244.231.194   k8s-centos7-master   <none>           <none>
kube-system   calico-node-7zhz9                            1/1     Running   0          18h   10.0.2.15        k8s-centos7-node1    <none>           <none>
kube-system   calico-node-dv8vz                            1/1     Running   0          18h   10.0.2.15        k8s-centos7-master   <none>           <none>
kube-system   coredns-58cc8c89f4-npwwb                     1/1     Running   0          18h   10.244.231.195   k8s-centos7-master   <none>           <none>
kube-system   coredns-58cc8c89f4-sdcfr                     1/1     Running   0          18h   10.244.231.193   k8s-centos7-master   <none>           <none>
kube-system   etcd-k8s-centos7-master                      1/1     Running   0          18h   10.0.2.15        k8s-centos7-master   <none>           <none>
kube-system   kube-apiserver-k8s-centos7-master            1/1     Running   0          18h   10.0.2.15        k8s-centos7-master   <none>           <none>
kube-system   kube-controller-manager-k8s-centos7-master   1/1     Running   0          18h   10.0.2.15        k8s-centos7-master   <none>           <none>
kube-system   kube-proxy-chsc7                             1/1     Running   0          18h   10.0.2.15        k8s-centos7-master   <none>           <none>
kube-system   kube-proxy-kf6xb                             1/1     Running   0          18h   10.0.2.15        k8s-centos7-node1    <none>           <none>
kube-system   kube-scheduler-k8s-centos7-master            1/1     Running   0          18h   10.0.2.15        k8s-centos7-master   <none>           <none>

结果

[root@localhost dashboard]# kubectl get nodes
NAME                 STATUS   ROLES    AGE   VERSION
k8s-centos7-master   Ready    master   18h   v1.16.0
k8s-centos7-node1    Ready    <none>   18h   v1.16.0

安装 dashboard(更新: 2020-08-26)

dashboard官网

Kubernetes - 使用kubectl proxy

Kubernetes Dashboard

kubernetes1.13安装dashboard

我这个 dashboard.yaml 是从 github 上的 kubernetes/dashboard 获取的

dashboard.yaml

# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: Namespace
metadata:
  name: kubernetes-dashboard

---

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  # 修改类型为 NodePort 访问
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      # 设置端口号为 30001
      nodePort: 30001
  selector:
    k8s-app: kubernetes-dashboard

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kubernetes-dashboard
type: Opaque

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kubernetes-dashboard
type: Opaque
data:
  csrf: ""

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kubernetes-dashboard
type: Opaque

---

kind: ConfigMap
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kubernetes-dashboard

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
        - name: kubernetes-dashboard
          # 可以先到 dockerhub 上查看镜像的版本
          image: kubernetesui/dashboard:v2.0.3
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: dashboard-metrics-scraper

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: dashboard-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: dashboard-metrics-scraper
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
      containers:
        - name: dashboard-metrics-scraper
          image: kubernetesui/metrics-scraper:v1.0.4
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
      volumes:
        - name: tmp-volume
          emptyDir: {}

这里有几个需要注意的点：

• 像 image: kubernetesui/dashboard:v2.0.3 这个镜像可以先到 dockerhub 上查找最新的 tag。要不然可能 docker 在 pull 的时候需要指定对应的版本

然后我们在外网访问 http://\<master-ip>:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/，可以成功访问到登录界面，但是却无法登录，这是因为Dashboard只允许localhost和127.0.0.1使用HTTP连接进行访问，而其它地址只允许使用HTTPS。因此，如果需要在非本机访问Dashboard的话，只能选择其他访问方式。

最终我们选择 API Server 访问方式
由于最新版的 k8s 默认启用了 RBAC, 并为未认证的用户赋予一个默认的身份: anoymous

对于 API Server 来说，它是使用证书进行认证，我们需要创建一个证书：

1. 首先找到 kubectl 命令的配置文件，默认情况下为 /etc/kubernetes/admin.conf，之前已经复制到了 $HOME/.kube/config 中
2. 然后使用 client-certificate-data 和 client-key-data 生成一个 p12 文件, 可使用下列命令

# 生成client-certificate-data
grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt

# 生成client-key-data
grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key

# 生成p12
openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"

最终会在当前目录下生成一个 xxx.p12 文件，将其导入到 chrome 浏览器。

手动导入的方式如下：

点击 菜单-设置-高级-管理证书

成功会显示 “导入成功”，接着 重启chrome。

访问 https://机器ip:30001/ 正常是会弹出证书信息，点击确定即可。

创建一个登录账号，创建一个名为 dashboard-adminuser.yaml 的配置文件

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system

kubectl create -f dashboard-adminuser.yaml

打印token信息

[root@k8s-centos7-master dashboard]# kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

# 留一下这个 Name 是不是 admin-user    
Name:         admin-user-token-cw64b
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin-user
              kubernetes.io/service-account.uid: d8ac152d-3f51-494c-ae73-3bcc71d0b61d

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IkpZWkRhZEpNVHhJWXlJOTVIcGRpSWRMZW14aG1BUzJtWlBRdnZ0Qy02SG8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLWN3NjRiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJkOGFjMTUyZC0zZjUxLTQ5NGMtYWU3My0zYmNjNzFkMGI2MWQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.knGeN8E4lLmZGoWIGTYjUkfO-uggSuo2k_-7tZag1Vg1AvCmXy5Ot7BEozQ_jJYX8oYjbxWCy6mZyG3NgdfBTYvFsMaS9g-RHZPOXAQPct5DDVDvHS-F6IzE_OZP8W5XKDcNl5-RRoLTjphevTgi7AUZ6r3Bx_vvbOFC9-rz4aqBP7LJwUcSP-w8bQYtCQD8qjuKeh_a8WbqcXUIuk7PuTPttQcqXVy_Yvd15VG390sdjbwIS2ULwNrGFY5BrVNuUBKzxV1DhOLZnK6Qz9iB2AgUA0jjPACF943_fqgr-0OcCXyl_zSEYR0yYes6K8QX082vu88X6Rz9myuOL2IZrg

将上面的token输入到浏览器，成功登录后效果如下：

>> 安装 dashboard.yaml 报错: Error from server (AlreadyExists): error when creating “kubernetes-dashboard.yaml”: secrets “kubernetes-dashboard-certs” already exists

执行以下命令解决问题：

kubectl delete -f kubernetes-dashboard.yaml