更多干货
三种方式
minikube、microk8s、kubeadm
除了以上方式,甚至有以安装二进制文件的方式安装的。参看文档
从安装的服务来看,k8s 单节点必要的服务包括:
- 容器运行时: 默认是 Docker
- etcd: key-value 存储服务,用于保存集群的状态
- kube-apiserver: 集群资源操作的唯一入口,并提供认证、授权、访问控制、API 注册和发现等机制
- kube-controller-manager: 维护集群的状态,比如故障检测、自动扩展、滚动更新等
- kube-scheduler: 负责资源的调度,按照预定的调度策略将 Pod 调度到相应的机器上
- kubelet: 负责维持容器的生命周期,同时也负责 Volume(CVI)和网络(CNI)的管理
- kube-proxy: 负责为 Service 提供 cluster 内部的服务发现和负载均衡
无论以何种方式安装 k8s, 都需要注意安全问题, 因为在 k8s 的设计中, Master 节点是不会暴露到外网的,用户服务都会安装到 Worker 节点,但是在单节点的情况下,k8s 所监听的端口都没有设防,容器的权限也有可能过大,这些安全问题在 minikube 的文档中也有提到, 需要对网络端口设置 iptables 限制可访问的 IP 等方式来提升安全性,如果是安全性敏感的项目,建议放弃单节点 k8s 的方案。
都是走的国内镜像源
关闭 selinux
setenforce 0 #实时动态关闭 selinux
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config #禁止重启后自动开启关闭交换分区
swapoff -a #实时动态关闭交换分区
sed -i '/ swap / s/^/#/' /etc/fstab #禁止重启后自动开启网络配置文件
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
vm.swappiness=0
EOF
modprobe br_netfilter #执行该命令 如果不执行就会在应用k8s.conf时出现加载错误
sysctl -p /etc/sysctl.d/k8s.conf #应用配置文件
yum换国内源
cd /etc/yum.repos.d && \
sudo mv CentOS-Base.repo CentOS-Base.repo.bak && \
sudo wget -O CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo && \
yum clean all && \
yum makecache配置k8s资源的下载地址
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF安装依赖
yum install -y docker kubelet kubeadm kubectldocker换源
mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://registry.docker-cn.com"]
}
EOF
service docker restart开机启动
systemctl disable firewalld.service && systemctl stop firewalld.service
systemctl enable docker && systemctl start docker
systemctl enable kubelet && systemctl start kubelet下载k8s依赖镜像
获取依赖的镜像
kubeadm config images list国内用户通过阿里云镜像下载k8s依赖组件
kubeadm config images list |sed -e 's/^/docker pull /g' -e 's#k8s.gcr.io#registry.cn-hangzhou.aliyuncs.com/google_containers#g' |sh -x
docker images |grep registry.cn-hangzhou.aliyuncs.com/google_containers |awk '{print "docker tag ",$1":"$2,$1":"$2}' |sed -e 's#registry.cn-hangzhou.aliyuncs.com/google_containers#k8s.gcr.io#2' |sh -x
docker images |grep registry.cn-hangzhou.aliyuncs.com/google_containers |awk '{print "docker rmi ", $1":"$2}' |sh -x主节点初始化
Kubernetes v1.16.2
kubeadm init --kubernetes-version=1.16.3执行成功后出现
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.31.120:6443 --token 6nelb5.lrc5qbs0k3v64eln \
--discovery-token-ca-cert-hash sha256:c55a113114d664133685430a86f2e39f40e9df6b12ad3f4d65462fd372079e97 执行:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/confignode节点启动
kubeadm join 192.168.31.120:6443 --token 6nelb5.lrc5qbs0k3v64eln \
--discovery-token-ca-cert-hash sha256:c55a113114d664133685430a86f2e39f40e9df6b12ad3f4d65462fd372079e97 就是初始化后的最后一条命令
主节点执行:
[root@localhost ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
localhost.localdomain NotReady master 40m v1.14.3
miwifi-r3-srv NotReady <none> 3m48s v1.14.3状态还是notReady
查看文档 https://kubernetes.io/docs/co...
这里选了 weave 插件文档: https://www.weave.works/docs/...
执行命令
kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"
稍微等几分钟就可以看到正常了
[root@localhost ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
localhost.localdomain Ready master 49m v1.14.3
miwifi-r3-srv Ready <none> 12m v1.14.3kubeadm token 过期的情况
kubeadm join 用到的token有效期是24h
生成 token, 查看token
$ kubeadm token create
rugi2c.bb97e7ney91bogbg
$ kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
rugi2c.bb97e7ney91bogbg 23h 2019-06-18T22:28:11+08:00 authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
生成证书
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'新token加入
kubeadm join 192.168.31.120:6443 --token rugi2c.bb97e7ney91bogbg \
--discovery-token-ca-cert-hash sha256:c55a113114d664133685430a86f2e39f40e9df6b12ad3f4d65462fd372079e97部署仪表盘
主节点操作
wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
这里只需要修改image的地址为国内阿里云的不然翻墙不了会下载不成功 registry.cn-beijing.aliyuncs.com/minminmsn/kubernetes-dashboard:v1.10.1
NodePort模式需要修改镜像地址和type: NodePort
vim kubernetes-dashboard.yaml
spec:
containers:
- name: kubernetes-dashboard
image: registry.cn-beijing.aliyuncs.com/minminmsn/kubernetes-dashboard:v1.10.1
spec:
type: NodePort #增加type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 31620 #增加nodePort: 31620
selector:
k8s-app: kubernetes-dashboard
这里把官方的改成阿里云的镜像地址registry.cn-beijing.aliyuncs.com/minminmsn/kubernetes-dashboard:v1.10.1
修改如上文件,增加如下配置:
type: NodePort # 添加Service的type为NodePort
nodePort: 31000 # 添加映射到虚拟机的端口,k8s只支持30000以上的端口
访问dashboard有以下几种方式访问dashboard:
- Nodport方式访问dashboard,service类型改为NodePort
- loadbalacer方式,service类型改为loadbalacer
- Ingress方式访问dashboard
- API server方式访问 dashboard
- kubectl proxy方式访问dashboard
官方参考文档:
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#accessing-the-dashboard-ui
修改完成创建服务pod
[root@node03 bin]# kubectl create -f kubernetes-dashboard.yaml
secret/kubernetes-dashboard-certs created
serviceaccount/kubernetes-dashboard created
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
deployment.apps/kubernetes-dashboard created
service/kubernetes-dashboard created
查看运行状态
[root@node03 bin]# kubectl get pods --all-namespaces -o wide | grep dashboard
kube-system kubernetes-dashboard-77fd78f978-bkm9r 1/1 Running 0 37m 10.244.1.4 node04 <none>
常见异常处理:
Terminating或者Pending时删除当前pod
kubectl delete pod kubernetes-dashboard-57df4db6b-lcj24 -n kube-system
如下异常时
Error from server (AlreadyExists): error when creating "kubernetes-dashboard.yaml": secrets "kubernetes-dashboard-certs" already exists
Error from server (AlreadyExists): error when creating "kubernetes-dashboard.yaml": serviceaccounts "kubernetes-dashboard" already exists
Error from server (AlreadyExists): error when creating "kubernetes-dashboard.yaml": roles.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" already exists
Error from server (AlreadyExists): error when creating "kubernetes-dashboard.yaml": rolebindings.rbac.authorization.k8s.io "kubernetes-dashboard-minimal" already exists
处理如下,卸载之前安装的内容
kubectl delete -f kubernetes-dashboard.yaml
继续进行,查看service,TYPE类型已经变为NodePort,端口为31000
kubectl get service -n kube-system | grep dashboard
kubernetes-dashboard NodePort 10.98.190.246 <none> 443:31000/TCP 99s
https://192.168.111.128:31620/如访问提示了证书错误NET::ERR_CERT_INVALID
原因是由于物理机的浏览器证书不可用。我们可以生成一个私有证书或者使用公有证书,下面开始配置证书。
查看kubernetes-dashboard 容器跑在哪台node节点上 kubectl get pod -n kube-system -o wide
查看kubernetes-dashboard容器IDdocker ps | grep dashboard
查看kubernetes-dashboard容器certs所挂载的宿主主机目录
docker inspect -f {{.Mounts}} 384d9dc0170b私有证书配置,生成dashboard证书
openssl genrsa -des3 -passout pass:x -out dashboard.pass.key 2048
openssl rsa -passin pass:x -in dashboard.pass.key -out dashboard.key
openssl req -new -key dashboard.key -out dashboard.csr
openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt将生成的dashboard.crt dashboard.key放到certs对应的宿主主机souce目录如:
/var/lib/kubelet/pods/966bda12-95f2-4605-b295-e9ac0e3294dc/volumes/kubernetes.io~secret/kubernetes-dashboard-certs重启kubernetes-dashboard容器
docker restart xxxxx获取登陆令牌
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
获取输出的token粘贴复制到kubernetes-dashboard登陆页面获取授权
命令
kubeadm init --kubernetes-version=1.16.2
kubectl get nodes
kubectl create -f kubernetes-dashboard.yaml
kubectl apply -f hack/kubernetes --clusterrole=cluster-admin --group=system:serviceaccounts
kubectl delete -f hack/kubernetes
kubectl get pods --all-namespaces -o wide | grep dashboard
kubectl get service -n default | grep wayne*
kubectl get services --all-namespaces
kubectl describe pod mysql-wayne-77bbcf9bf9-ngpqd -n default
kubectl get svc -n kube-system
dashboard 相关
```
docker ps | grep dashboard
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
kubectl get secret -n kube-system |grep dashboard-serviceaccount-token
kubectl describe secret dashboard-serviceaccount-token-6z42h -n kube-system
```
查看kubelet的输出日志信息:
```
tail -f /var/log/messages
journalctl -f -u kubelet
```
参照安装文档:
https://kuboard.cn/install/install-k8s.html#%E6%96%87%E6%A1%A3%E7%89%B9%E7%82%B9
https://www.bookstack.cn/read/Wayne/4.md
linux 实现centos7在线升级最新版本内核
1507
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
