非内网(公网)搭建k8s集群(一主二从)

最新推荐文章于 2023-04-20 15:41:58 发布
最新推荐文章于 2023-04-20 15:41:58 发布
阅读量1.4k 收藏 12
点赞数 2
分类专栏: k8s 文章标签: kubernetes 容器 云原生
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_45675001/article/details/126953899
版权

情况说明

  • 前段时间呢,为了学习使用k8s买了3台服务器,当然为了省钱。。,于是就买了腾讯云的学生优惠服务器,由于是3个账号分别购买,于是就。。。只能公网部署,中间遇到了好多好多坑,但是最终还是一个坑一个坑爬出来了,特此记录一下,哪些不小心买了非内网部署的小伙伴们可以参考下。

服务器配置

  1. 三台4核8g的
  2. 学习环境的话,如果仅仅只是搭建k8s集群,上面在运行几个springboot项目应该是够用的
  3. 如果要用kubesphere的话,会有点儿卡
  4. 纯学习的话,其实可以买按时间计费的服务器

一些链接

  1. k8s官网链接:https://kubernetes.io/
  2. kubesphere官网:https://kubesphere.com.cn/
  3. 内网部署的话,可以参考尚硅谷的:尚硅谷内网部署

部署步骤

1、 每台机器设置hostname

# 三台机器一次运行下面的命令, 设置不同的hostname
# 语法格式:hostnamectl set-hostname xxx
hostnamectl set-hostname master
hostnamectl set-hostname slave1
hostnamectl set-hostname slave2

2、 基础环境

# 将 SELinux 设置为 permissive 模式(相当于将其禁用)
sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

#关闭swap
swapoff -a  
sed -ri 's/.*swap.*/#&/' /etc/fstab

#允许 iptables 检查桥接流量
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
br_netfilter
EOF

cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sudo sysctl --system

3、创建虚拟网卡(这里是公网部署的关键)

# 所有主机都要创建虚拟网卡,并绑定对应的公网 ip
# 临时生效,重启会失效
ifconfig eth0:1 <你的公网IP>
 
# 永久生效
cat > /etc/sysconfig/network-scripts/ifcfg-eth0:1 <<EOF
BOOTPROTO=static
DEVICE=eth0:1
IPADDR=<你的公网IP>
PREFIX=32
TYPE=Ethernet
USERCTL=no
ONBOOT=yes
EOF
# 设置后重启网卡
sudo systemctl restart network

4、所有机器添加域名映射

#所有机器添加master域名映射 写自己ip  这里的域名要和设置的hostname对应
echo "110.40.155.237 master" >> /etc/hosts
echo "43.142.47.211  slave1" >> /etc/hosts
echo "43.138.55.127  slave2" >> /etc/hosts

5、所有机器安装kubelet、kubeadm、kubectl

# 设置安装源
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
   http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF

#进行安装
sudo yum install -y kubelet-1.20.9 kubeadm-1.20.9 kubectl-1.20.9 --disableexcludes=kubernetes

#将kubelet 命令添加到systemctl中 
sudo systemctl enable --now kubelet

6、所有机器安装kubeadm引导集群

sudo tee ./images.sh <<-'EOF'
#!/bin/bash
images=(
kube-apiserver:v1.20.9
kube-proxy:v1.20.9
kube-controller-manager:v1.20.9
kube-scheduler:v1.20.9
coredns:1.7.0
etcd:3.4.13-0
pause:3.2
)
for imageName in ${images[@]} ; do
docker pull registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/$imageName
done
EOF

# 添加执行权限 并执行images.sh中的命令 去下载镜像
chmod +x ./images.sh && ./images.sh

7、修改kubelet启动参数文件(每台机器都需要执行) (很重要)

# 此文件安装kubeadm后就存在了
vim /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
 
# 注意,这步很重要,如果不做,节点仍然会使用内网IP注册进集群,通过修改这里 可以让每个几点以公网ip注册到集群中
# 在末尾添加参数 --node-ip=公网IP
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS --node-ip=<公网IP>

8、初始化master节点(只在主节点进行)

8.1 添加kubeadm-config.yaml配置文件
cat > kubeadm-config.yaml <<EOF
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.20.9
apiServer:
  certSANs: 
  - master        #请替换为hostname
  - 110.41.115.236   #请替换为公网IP
  - 10.0.4.7   #请替换为私网IP
  - 10.96.0.1
controlPlaneEndpoint: 110.41.115.236:6443 #替换为公网IP
imageRepository: registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images
networking:
  #pod网络层 这里需要根据你使用的网络插件来更换,例如calico就用192.168.0.0/16,falnnel需要换成10.244.0.0/16
  podSubnet: 10.244.0.0/16
  #service网络层
  serviceSubnet: 10.96.0.0/12
--- 
apiVersion: kubeproxy-config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
featureGates:
  SupportIPVSProxyMode: true
mode: ipvs
EOF
8.2 执行初始化命令
#如果失败了,就在init命令最后添加-v=10来查看什么错误。
#并通过删除原有安装
kubeadm init --config=kubeadm-config.yaml
#kubeadm init -v=10 --config=kubeadm-config.yaml
# 如果安装失败需要重新安转 删除原有安装
kubeadm reset
rm -rf /root/.kube/
sudo rm -rf /etc/kubernetes/
sudo rm -rf /var/lib/kubelet/
sudo rm -rf /var/lib/dockershim
sudo rm -rf /var/run/kubernetes
sudo rm -rf /var/lib/cni
sudo rm -rf /var/lib/etcd
sudo rm -rf /etc/cni/net.d
8.3 成功之后
8.3.1 显示的内容

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:

  kubeadm join 110.40.225.236:6443 --token 0tb7mi.q6q1cwt7mv11pxa0 \
    --discovery-token-ca-cert-hash sha256:b69907b021012f8a2968afb73872b782e1b753385d4ccedc71e94a79fbed3e80 \
    --control-plane

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 133.40.222.236:6443 --token 0tb7mi.q6q1cwt7mv11pxa0 \
    --discovery-token-ca-cert-hash sha256:b69907b021012f8a2968afb73872b782e1b753385d4ccedc71e94a79fbed3e80
8.3.2 第一步
#需要执行这里 只在master
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
8.3.3 第二步
#如果是root用户就执行这里 只在master
export KUBECONFIG=/etc/kubernetes/admin.conf
8.4 修改kube-apiserver参数 (只在master)
# 修改两个信息,添加--bind-address和修改--advertise-address
vim /etc/kubernetes/manifests/kube-apiserver.yaml
 
apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.0.20.8:6443
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=123.40.456.236 # 修改为公网IP
    - --bind-address=0.0.0.0  # 新增参数
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --insecure-port=0
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-issuer=https://kubernetes.default.svc.cluster.local
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    image: registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images/kube-apiserver:v1.20.9
    imagePullPolicy: IfNotPresent
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 10.0.20.8
        path: /livez
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 10
      periodSeconds: 10
      timeoutSeconds: 15
    name: kube-apiserver
    readinessProbe:
      failureThreshold: 3
      httpGet:
        host: 10.0.20.8
        path: /readyz
        port: 6443
        scheme: HTTPS
      periodSeconds: 1
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 250m
    startupProbe:
      failureThreshold: 24
      httpGet:
        host: 10.0.20.8
        path: /livez
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 10
      periodSeconds: 10
      timeoutSeconds: 15
    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true
    - mountPath: /etc/pki
      name: etc-pki
      readOnly: true
    - mountPath: /etc/kubernetes/pki
      name: k8s-certs
      readOnly: true
  hostNetwork: true
  priorityClassName: system-node-critical
  volumes:
  - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs
  - hostPath:
      path: /etc/pki
      type: DirectoryOrCreate
    name: etc-pki
  - hostPath:
      path: /etc/kubernetes/pki
      type: DirectoryOrCreate
    name: k8s-certs
status: {}
8.5 安装网络组件 使用 flanel (calico没成功。。。)
8.5.1 下载flannel配置文件
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
8.5.2 修改 kube-flannel.yml 内容,如下 (有新增注释的地方)
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: psp.flannel.unprivileged
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
    apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
    apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
  privileged: false
  volumes:
  - configMap
  - secret
  - emptyDir
  - hostPath
  allowedHostPaths:
  - pathPrefix: "/etc/cni/net.d"
  - pathPrefix: "/etc/kube-flannel"
  - pathPrefix: "/run/flannel"
  readOnlyRootFilesystem: false
  # Users and groups
  runAsUser:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  # Privilege Escalation
  allowPrivilegeEscalation: false
  defaultAllowPrivilegeEscalation: false
  # Capabilities
  allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
  defaultAddCapabilities: []
  requiredDropCapabilities: []
  # Host namespaces
  hostPID: false
  hostIPC: false
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535
  # SELinux
  seLinux:
    # SELinux is unused in CaaSP
    rule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: flannel
rules:
- apiGroups: ['extensions']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames: ['psp.flannel.unprivileged']
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes/status
  verbs:
  - patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: flannel
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: flannel
subjects:
- kind: ServiceAccount
  name: flannel
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: flannel
  namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: kube-flannel-cfg
  namespace: kube-system
  labels:
    tier: node
    app: flannel
data:
  cni-conf.json: |
    {
      "name": "cbr0",
      "cniVersion": "0.3.1",
      "plugins": [
        {
          "type": "flannel",
          "delegate": {
            "hairpinMode": true,
            "isDefaultGateway": true
          }
        },
        {
          "type": "portmap",
          "capabilities": {
            "portMappings": true
          }
        }
      ]
    }
  net-conf.json: |
    {
      "Network": "10.244.0.0/16",  # 这里是kubeadm-config.yaml配置的podsnetwork
      "Backend": {
        "Type": "vxlan"
      }
    }
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kube-flannel-ds
  namespace: kube-system
  labels:
    tier: node
    app: flannel
spec:
  selector:
    matchLabels:
      app: flannel
  template:
    metadata:
      labels:
        tier: node
        app: flannel
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
      hostNetwork: true
      priorityClassName: system-node-critical
      tolerations:
      - operator: Exists
        effect: NoSchedule
      serviceAccountName: flannel
      initContainers:
      - name: install-cni
        image: quay.io/coreos/flannel:v0.14.0
        command:
        - cp
        args:
        - -f
        - /etc/kube-flannel/cni-conf.json
        - /etc/cni/net.d/10-flannel.conflist
        volumeMounts:
        - name: cni
          mountPath: /etc/cni/net.d
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      containers:
      - name: kube-flannel
        image: quay.io/coreos/flannel:v0.14.0
        command:
        - /opt/bin/flanneld
        args:
        - --ip-masq
        - --kube-subnet-mgr
        - --public-ip=$(PUBLIC_IP)  # 新增
        - --iface=eth0   # 新增 这里必须写虚拟网卡
        resources:
          requests:
            cpu: "100m"
            memory: "50Mi"
          limits:
            cpu: "100m"
            memory: "50Mi"
        securityContext:
          privileged: false
          capabilities:
            add: ["NET_ADMIN", "NET_RAW"]
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: PUBLIC_IP #新增
          valueFrom:   #新增
            fieldRef: #新增
              fieldPath: status.podIP #新增
        volumeMounts:
        - name: run
          mountPath: /run/flannel
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      volumes:
      - name: run
        hostPath:
          path: /run/flannel
      - name: cni
        hostPath:
          path: /etc/cni/net.d
      - name: flannel-cfg
        configMap:
          name: kube-flannel-cfg
8.5.3 创建网络插件
kubectl apply -f kube-flannel.yml
8.6 从节点加入
8.6.1 加入命令
# 这个命令是有时效性的 24小时 
# 第二次加入先强制重置  kubeadm reset -f
kubeadm join 123.45.165.236:6443 --token 8z98g4.p7eafjdkcaqd279a \
    --discovery-token-ca-cert-hash sha256:0f6891168a726c265528355ca932ae74769bfef1e0f7d0f89b089a428eda9829
8.6.2 使用命令检查(在主节点)
# 查看pod
kubectl get pods -A
# 查看节点及其ip
kubectl get nodes -o wide
# 查看节点状态
journalctl -f -u kubelet
8.6.3 重新生成加入命令 (在主节点)
kubeadm token create --print-join-command

9、部署控制台

9.1 拉取配置
#kubernetes官方提供的可视化界面
#https://github.com/kubernetes/dashboard

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.3.1/aio/deploy/recommended.yaml
9.2 配置内容(如果拉不下来,可以直接用这个,也可以到github上下载)
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: Namespace
metadata:
  name: kubernetes-dashboard

---

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kubernetes-dashboard
type: Opaque

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kubernetes-dashboard
type: Opaque
data:
  csrf: ""

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kubernetes-dashboard
type: Opaque

---

kind: ConfigMap
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kubernetes-dashboard

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.3.1
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: dashboard-metrics-scraper

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: dashboard-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: dashboard-metrics-scraper
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
      containers:
        - name: dashboard-metrics-scraper
          image: kubernetesui/metrics-scraper:v1.0.6
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
      volumes:
        - name: tmp-volume
          emptyDir: {}
9.4 设置访问端口
#type: ClusterIP 改为 type: NodePort

# 获取控制台运行所在端口  31639 访问的话  就ip  + 端口
kubectl get svc -A |grep kubernetes-dashboard
9.5 创建访问账号
#创建访问账号,准备一个yaml文件; vi dash.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
9.6 加载配置文件 生成访问令牌
kubectl apply -f dash.yaml
#获取访问令牌
kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"

#令牌
eyJhbGciOiJSUzI1NiIsImtpZCI6Ikk3cXItU0I0ZTV0bG9YcXFITWY5aklOOEtPcGZTNnJuaWlZcEtLLVpNb2sifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXBjc2I3Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L_NRCIGzjH1qCqfgSt2jgwVmDQg
s晴天
关注
  • 2
    点赞
  • 12
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
内网服务器加入k8s集群部署文件
02-18
内网服务器加入k8s集群部署文件
内网环境k8s离线安装部署
10-31
在无法连接互联网的内网环境部署k8s详细教程。
centos7 关闭selinux_centos7上搭建kubernates集群
weixin_39866867的博客
11-28 159
1)版本统一- Docker 18.09.0 - kubeadm-1.14.0-0 - kubelet-1.14.0-0 - kubectl-1.14.0-0 - k8s.gcr.io/kube-apiserver:v1.14.0 - k8s.gcr.io/kube-controller-manager:v1.14.0 - k8s.gcr.io/kube-scheduler:v1....
一主二k8s集群搭建
muzilee的博客
04-20 77
查看集群结点状态(此时有master和node且status为notready)#查看集群结点状态(此时有master和node且status为ready)#初始化看见successfully后在下面命令中找(每个集群会有不同)#用到的阿里源加速器可自行在aliyun开源镜像站里找。#初始化看见successfully后在下面命令中找。#查看集群结点状态(此时只有master)#给脚本添加权限执行脚本并查看是否加载成。#添加需要加载的模块并写入脚本。#查看网桥过滤模块是否加载成。
二、搭建k8s集群
吴大侠的博客
09-04 168
1、平台规划和搭建方式介绍 2、使用kubeadm方式搭建kuberneters集群 1. 对操作系统进行初始化操作 # 关闭防火墙 systemctl stop firewalld systemctl disable firewalld # 关闭selinux sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久 sente...
平台搭建记录-外网测试环境搭建高可用k8s集群
jyf650426的博客
02-07 1677
前言 此为之前文章的参考,主要记录方便以后直接快速搭建 准备 服务器 ip 系统 角色 master1 192.168.31.100 centos7.6 k8s-master节点1,ceph-node,ceph-osd,ceph-mds,ceph-mgr node1 192.168.31.101 centos7.6 k8s-node节点1,ceph-node,ceph-osd,...
k8s二进制搭建,及ldap搭建.txt
11-02
这个主要是内网用,外网的话搭建方式很多。我也是参考了其他教程,但是有一些坑,卡了我好久,最后终于搞成了。这是我做的笔记,给初学者看看吧。
redis一主两从三哨兵.docx
11-07
1. 一主多从(Master-Slave):其中一个节点作为主节点,其他节点作为从节点,从节点复制主节点的数据。 2. 多主多从(Multi-Master):每个节点都是独立的主节点,可以提供高可用性和水平扩展性。 在本例中,我们...
k8s集群部署文档说明
最新发布
10-16
本文档提供了k8s集群部署的详细步骤,涵盖了环境搭建、Docker安装、加速配置、kubeadm安装、kubelet、kubeadm、kubectl安装等多个方面的知识点。 1. 环境搭建 在开始k8s集群部署之前,需要首先搭建环境,包括安装...
Kubernetes一主两从
qq_42066250的博客
07-17 619
说明 这次是使用的是1个master、2个node 为的是模拟搭建环境,真实环境是多master(n>1) 且为奇数 安装k8s的节点必须是大于1核心的CPU 使用的系统centos7,6的话好多命名空间有很多不支持 内核3.1以上才是较好的运行环境,最好是4.4内核以上 网络采用Flannel(官方推荐)方式 ps: 第2点是因为为了防止单节点故障,高可用一般都为3,5,7 ###资料地址 链接: https://pan.baidu.com/s/1ULw76sCpq5EMR00i9h7H7w 密码:
无网环境kubeadm+nginx部署k8s集群
filtercomp的博客
10-13 1200
使用kubeadm+nginx负载方式部署k8s集群
k8s 最简单的一主二从本地集群部署 并部署镜像(1、基础环境搭建
weixin_43885494的博客
12-06 1293
k8s 最简单的一主二从本地集群部署 并部署镜像(1、基础环境搭建)环境基础创建基础物理机创建基础镜像机基础镜像环境准备基础镜像软件准备 环境基础 3台CentOS7主机: master主机: k8s主节点(2核2g) node1主机: 运行节点1(2核4g) node2主机: 运行节点2(2核4g) k8s版本: v1.19.4 docker版本: 19.03.13 ip(/etc/hosts): 192.168.101.100 k8s.master 192.168.101.101 k
超低成本的k8s集群搭建教程
burn_in_hell的博客
02-13 2217
k8s全称kubernetes,如果你已经点进来看了,说明这个名字你应该不陌生,k8s是为容器服务而生的一个可移植容器的编排管理工具,越来越多的公司正在拥抱k8s,推动微服务架构等热门技术的普及和落地,未来一定是k8s的天下。但是很多人由于公司没有使用,搭建成本过高自己也无从下手学习,现在教你一种超低成本的k8s集群搭建方式,理论上只需要一台2c4g+一台1c2g,让你跟上技术的脚步。.........
Kubernetes集群环境搭建详细教程(一主两从)
weixin_47976194的博客
12-07 1317
k8s搭建集群 一主两从
yum部署K8S笔记,kubeadm部署
255.255.255.0
12-28 235
#参考资料https://www.cnblogs.com/omgasw/p/10557554.html #启动master for service in etcd docker kube-apiserver kube-scheduler kube-controller-manager ;do service $service start ;done #错误排查 cat /var/log/messages|grep kube-apiserver|grep -i error #删除nodes kubect
内网服务器加入k8s集群上——创建虚拟局域网
qq_32166165的博客
02-16 1705
随着k8s集群上个部署的项目增多,服务器cpu、内存已经达到瓶颈,经常卡顿。正当需要给集群扩容时发现公司有5台16核32G的闲置服务器,都可以上外网但是没有公网ip,都是NAT内网环境,http也被ISP屏蔽。 现有集群部署在腾讯云上有公网环境的,于是master节点当网关和路由创建虚拟局域网(vpn)完成互联,让公司的服务器加入集群。 这是简化的拓扑结构 一、环境准备:三台主机都安装centos7,实验内核版本 3.10.0-1160.15.2.el7.x86_64 1、所有主机关闭...
三、公网环境搭建Kubernetes (k8s) 集群的详细图解
胖太乙
06-04 4530
上一节介绍了 Kubernetes (k8s) 内网集群搭建详细图解 ,也介绍了云服务器按量付费的租赁方式,但是这种方式有点不好之处就是,每次停机重启之后 , IP地址就变了,导致XShell 连接工具每次要改IP, 很是麻烦, 好在我这个人比较能薅羊毛,于是在腾讯云, 百度云, 阿里云上面都薅了一波羊毛。【想薅羊毛看这里:“羊毛”】。所以趁着休息,将手头的几台云服务器搭建k8s 集群,由于这几台云服务属于不同的云服务厂商,无法搭建局域网环境的 k8s 集群,故笔者搭建的是公网环境的 k8s 集群。我
linux搭建kubernetes集群一主二从)
cat91的博客
05-13 4211
目录 1.环境准备 1.1禁用swap(kubernetes特性) 1.2 关闭iptables(三台机器都要设置) 1.3 修改主机名(三台机器都要设置) 1.4域名解析,ssh免密登录 2.安装k8s 2.1下载yum源 2.2创建缓存(将后面需要下载的rpm包缓存下来,方便其他机器使用) 2.3 打开iptables桥接功能(三个节点都需调整) 2.4 打开路由转发(三个节点都需调整) 2.5 回到master节点 2.6 初始化集群(下载镜像) 2.7 其他节点加入集群 .
如何配置阿里云容器服务K8S Ingress Controller使用私网SLB
weixin_34195546的博客
06-25 2151
背景 我们通过阿里云容器服务申请一个K8S集群集群初始化时会自动部署一套Nginx Ingress Controller,默认其挂载在公网SLB实例上: 配置私网SLB 但对于部分用户来说,希望容器集群内的服务仅仅只对同一个VPC内其他服务调用访问,那么我们可以通过调整Nginx Ingress Controller服务的配置来完成。 1、手动申...
"内网环境k8s离线安装部署详细教程:纯傻瓜式操作指南
只有确保镜像能够正确地从私有仓库中拉取,整个k8s集群才能够正常运行。因此,在每个步骤中,都需要仔细对应相应的网络设置和仓库地址配置,确保每一步都能够顺利完成。 通过本教程的学习和操作,读者可以轻松地在...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值