简介
kubernetes 简称 k8s 是一个开源的,用于管理多个主机容器化的应用,是一个docker集群管理工具,是一个微服务管理工具,提供了应用部署、规划、更新、维护。
环境准备
本次使用virtualbox搭建一个2个节点Centos7的虚拟机,每个节点2G(RAM)+2(CPU)
节点名称 | 节点IP |
---|---|
master | 192.168.1.3 |
node01 | 192.168.1.4 |
安装前设置
所有节点都需要以下配置,除非特殊说明,这里以master为例
1.关闭firewall
[root@master ~]# systemctl status firewalld #查看状态
[root@master ~]# systemctl stop firewalld #关闭防火墙
[root@master ~]# systemctl disable firewalld #禁用
2.关闭seliux
[root@master ~]# getenforce #查看状态
[root@master ~]# setenforce 0 #临时关闭
[root@master ~]# vim /etc/selinux/config #永久关闭
SELINUX=disabled
3.关闭swap
[root@master ~]# free -m #查看状态
[root@master ~]# swapoff -a #临时关闭
[root@master ~]# sed -i.bak '/swap/s/^/#/' /etc/fstab
4.配置内核参数
[root@master ~]# cat > /etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
[root@master ~]# sysctl --system
5.设置阿里云源
5.1 docker
[root@master01 ~]# yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
docker-ce 是docker的社区免费版
5.2 k8s
[root@master01 ~]# cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
[root@master01 ~]# yum clean all
[root@master01 ~]# yum -y makecache
6.设置主机名
6.1 设置主机名
[root@master ~]# hostnamectl set-hostname master
[root@master ~]# hostname
master
如果没有显示主机名,退出重新登录即可显示新设置的主机名
6.2 修改hosts文件
[root@master ~]# cat >> /etc/hosts << EOF
192.168.1.3 master
192.168.1.4 node01
EOF
7.设置免密登录(master)
本步骤只在master上进行
[root@master ~]# ssh-keygen -t rsa #创建秘钥
[root@master ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.1.4 #秘钥同步至子节点
[root@master ~]# ssh 192.168.1.4 #登录测试下
8.安装常用的安装包
[root@master ~]# yum install vim bash-completion net-tools gcc -y
[root@master ~]# source /etc/profile.d/bash_completion.sh #补全命令增强安装包
安装docker
所有节点都要安装docker
1.安装依赖包
[root@master ~]# yum install -y yum-utils device-mapper-persistent-data lvm2
2.安装docker-ce
[root@master ~]# yum install docker-ce
默认安装最新版本,如果需要指定版本可以查询如下:
[root@master ~]# yum list docker-ce --showduplicates | sort -r
[root@master ~]# yum install docker-ce-18.09.9 docker-ce-cli-18.09.9 containerd.io -y
其中 docker-ce-cli 和 containerd.io 是依赖包
3.启动docker
[root@master ~]# systemctl start docker
[root@master ~]# systemctl enable docker
4.修改配置
[root@master ~]# mkdir -p /etc/docker
[root@master ~]# tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://v16stybc.mirror.aliyuncs.com","https://docker.mirrors.ustc.edu.cn"],
"exec-opts": ["native.cgroupdriver=systemd"],
"max-concurrent-downloads": 20,
"log-driver": "json-file",
"log-level": "warn",
"log-opts": {
"max-size": "100m",
"max-file": "3"
},
"data-root": "/var/lib/docker"
}
EOF
[root@master ~]# systemctl daemon-reload
[root@master ~]# systemctl restart docker
5.其他信息
一些命令
[root@master ~]# docker version
[root@master ~]# docker info
[root@master ~]# docker --version
[root@master ~]# docker search hello-world
[root@master ~]# docker run hello-world
[root@master ~]# docker images
[root@master ~]# docker ps -a
[root@master ~]# docker rm -f `docker ps -aq`
[root@master ~]# docker rmi -f `docker images -qa`
6.国内镜像
阿里云的加速器:https://cr.console.aliyun.com(注册后获取)
网易加速器:http://hub-mirror.c.163.com
官方中国加速器:https://registry.docker-cn.com
ustc 的镜像:https://docker.mirrors.ustc.edu.cn
daocloud:https://www.daocloud.io/mirror#accelerator-doc(注册后使用)
七牛云加速器:https://reg-mirror.qiniu.com
清华镜像: https://pypi.tuna.tsinghua.edu.cn/simple
安装k8s
kubelet 运行在集群所有节点上,用于启动Pod和容器等对象的工具
kubeadm 用于初始化集群,启动集群的命令工具
kubectl 用于和集群通信的命令行,通过kubectl可以部署和管理应用,查看各种资源,创建、删除和更新各种组件(子节点可选)
k8s中所有节点安装版本需要保持一致
1.查看版本
[root@master ~]# yum list kubelet --showduplicates | sort -r
2.安装kubelet、kubeadm和kubectl
我这里选择所有节点全部安装
2.1 安装
[root@master ~]# yum install kubelet-1.18.3 kubeadm-1.18.3 kubectl-1.18.3
[root@master ~]# source <(kubectl completion bash) #设置kubectl自动补充
[root@master ~]# systemctl enable kubelet && systemctl start kubelet #启动并设置开机自启
2.2 拉取镜像
[root@master ~]# cat ./image.sh #没有自己新建
#!/bin/bash
url=registry.aliyuncs.com/google_containers
version=v1.18.3
images=(`kubeadm config images list --kubernetes-version=$version|awk -F '/' '{print $2}'`)
for imagename in ${images[@]} ; do
docker pull $url/$imagename
docker tag $url/$imagename k8s.gcr.io/$imagename
docker rmi $url/$imagename
done
[root@master ~]# ./image.sh
3.初始化集群
3.1 master节点
$ kubeadm init --kubernetes-version=1.18.3 \
--apiserver-advertise-address=192.168.1.3 \
--service-cidr=10.10.0.0/16 \
--pod-network-cidr=10.122.0.0/16 \
--image-repository registry.aliyuncs.com/google_containers
如果初始化失败需要重置然后再重新初始化
$ kubeadm reset && systemctl restart kubelet
$ rm -rf $HOME/.kube/config #如果没有可以不管它
$ rm -rf /var/lib/cni/ #如果没有可以不管它
下面这个更全写但是我没用
swapoff -a && kubeadm reset && systemctl daemon-reload && systemctl restart kubelet && iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X
如果初始化成功就会显示如下信息:
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.1.3:6443 --token v2r5a4.veazy2xhzetpktfz \
--discovery-token-ca-cert-hash sha256:daded8514c8350f7c238204979039ff9884d5b595ca950ba8bbce80724fd65d4
记录生成的最后部分内容,此内容需要在其它节点加入Kubernetes集群时执行。
注:token是有24小时有效期的,过期需要重新生成
kubeadm token create --print-join-command
根据提示创建kubectl
$ mkdir -p $HOME/.kube
$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ chown $(id -u):$(id -g) $HOME/.kube/config
查看下节点信息
[root@master ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
master NotReady master 12m v1.18.3
[root@master ~]# kubectl get pod --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-7ff77c879f-ncvzp 0/1 Pending 0 12m
kube-system coredns-7ff77c879f-tm5fj 0/1 Pending 0 12m
kube-system etcd-master 1/1 Running 0 13m
kube-system kube-apiserver-master 1/1 Running 0 13m
kube-system kube-controller-manager-master 1/1 Running 0 13m
kube-system kube-proxy-mwlcl 1/1 Running 0 12m
kube-system kube-scheduler-master 1/1 Running 0 13m
[root@master ~]#
node节点为NotReady,因为corednspod没有启动,缺少网络pod
安装calico网络
[root@master ~]# kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
configmap/calico-config created
...
serviceaccount/calico-kube-controllers created
[root@master ~]#
[root@master ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
master Ready master 16m v1.18.3
[root@master ~]# kubectl get pod --all-namespaces
3.2 node01节点
3.2.1 从节点加入集群
执行master中获取的那个token信息
[root@node01 ~]# kubeadm join 192.168.1.3:6443 --token v2r5a4.veazy2xhzetpktfz \
--discovery-token-ca-cert-hash sha256:daded8514c8350f7c238204979039ff9884d5b595ca950ba8bbce80724fd65d4
[root@node01 ~]# kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
3.2.2 从节点不能执行kubectl命令
master中将/etc/kubernetes/admin.conf复制到从节点
[root@master ~]# scp /etc/kubernetes/admin.conf root@192.168.1.4:/etc/kubernetes/
node01中 (创建kubernetes-admin)
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
或者 node01中
echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile
source ~/.bash_profile
4.apiserver访问权限问题
apiserver的访问地址可以通过"kubectl cluster-info"获取,一般默认是https://xxx.xxx.xxx.xxx:6443。
问题如下:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}
生成pkcs12 证书
$ grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
$ grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
$ openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
$ sz kubecfg.p12
把生成的kubecfg.p12导入到浏览器
5.安装kubernetes-dashboard
5.1 先拉取镜像
也可以不拉取所需要镜像(提前pull下来,部署时更快)
$ docker pull kubernetesui/dashboard:v2.0.3
$ docker pull kubernetesui/metrics-scraper:v1.0.4
5.2 获取并修改yaml文件
获取yaml文件到本地,连不上多连几次
$ wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc7/aio/deploy/recommended.yaml
修改服务为nodePort
$ vim recommended.yaml
...
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard
...
添加管理员角色
$ cat >> recommended.yaml << EOF
# ------------------- dashboard-admin ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
EOF
5.3 安装
$ kubectl create -f recommended.yaml
检查下是否成功
$ kubectl get pod -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-dc6947fbf-bk9fc 1/1 Running 0 80m
kubernetes-dashboard-5d4dc8b976-xxmpk 1/1 Running 0 80m
$ kubectl get svc -n kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dashboard-metrics-scraper ClusterIP 10.10.61.35 <none> 8000/TCP 80m
kubernetes-dashboard NodePort 10.10.194.149 <none> 443:30001/TCP 80m
这时候就可以访问 https://192.168.1.3:30001/ 不过登录的提示我们是有token 或者 kubeconfig 两种登录
5.4 登录验证
5.4.1 获取token
$ kubectl get secret --all-namespaces | grep dashboard #取admin-token
kubernetes-dashboard dashboard-admin-token-swhrz kubernetes.io/service-account-token 3 82m
...
$ kubectl describe secret/dashboard-admin-token-swhrz -n kubernetes-dashboard
Name: dashboard-admin-token-swhrz
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: cdfb442a-f48b-11e8-80e8-000c29c3dca5
Type: kubernetes.io/service-account-token
Data
====
namespace: 11 bytes
token: *************复制这个token******************
复制token登录dashboard
5.4.2 kubeconfig
DASH_TOCKEN=$(kubectl get secret -n kubernetes-dashboard dashboard-admin-token-swhrz -o jsonpath={.data.token}|base64 -d)
kubectl config set-cluster kubernetes --server=192.168.1.3:6443 --kubeconfig=/root/dashbord-admin.conf
kubectl config set-credentials dashboard-admin --token=$DASH_TOCKEN --kubeconfig=/root/dashbord-admin.conf
kubectl config set-context dashboard-admin@kubernetes --cluster=kubernetes --user=dashboard-admin --kubeconfig=/root/dashbord-admin.conf
kubectl config set current-context dashboard-admin@kubernetes --kubeconfig=/root/dashbord-admin.conf
#1.admin-token换成自己的 2.生成的dashbord-admin.conf即可用于登录dashboard
5.4.3 开启跳过登录
$ kubectl edit deploy -n kubernetes-dashboard kubernetes-dashboard
...
spec:
containers:
- args:
- --auto-generate-certificates
- --enable-skip-login #在containers下面的args新增
- --namespace=kubernetes-dashboard
image: kubernetesui/dashboard:v2.0.0-rc7
...
#刷新web页面,登陆界面就会多出一个skip按钮(跳过的只有default权限)
6.常用命令
$ kubeadm config images list --kubernetes-version=1.18.3
$ kubeadm token list
$ kubeadm token create --print-join-command
$ kubectl get cs
$ kubectl get nodes --all-namespaces
$ kubectl get svc -n kube-system
$ kubectl get pods --all-namespaces
$ kubectl get secret --all-namespaces
参考
文档
Centos7.6部署k8s v1.16.4高可用集群(主备模式)
使用kubeadm在Centos8上部署kubernetes1.18
Kubernetes:dashboard 搭建(k8s -web端管理)
解决k8s访问报anonymous cannot get path的问题
k8s中教你快速写一条yaml文件
部署Calico网络