一、K8S下载
1. 安装docker看这个
在Ubuntu系统上安装Docker_docker ubuntu-CSDN博客
2. 基于Ubuntu安装Kubernetes集群指南
(安装k8s看这个,其中若阿里云的链接失效)用下面的命令安装,而后继续2的步骤
K8S阿里云连接失效查看以下连接
kubernetes镜像_kubernetes下载地址_kubernetes安装教程-阿里巴巴开源镜像站
apt-get update && apt-get install -y apt-transport-https
curl -fsSL https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.28/deb/Release.key |
gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
echo "deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://mirrors.aliyun.com/kubernetes-new/core/stable/v1.28/deb/ /" |
tee /etc/apt/sources.list.d/kubernetes.list
apt-get update
apt-get install -y kubelet kubeadm kubectl
EOF
二、更换网络后的操作
(一)主节点初始化与配置
#重置主节点
kubeadm reset
#重新初始化,主节点(192.168.51.82部分改成自己的Ip)用一条就好
sudo kubeadm init --apiserver-advertise-address 192.168.51.84 --pod-network-cidr 10.244.0.0/16 --image-repository registry.aliyuncs.com/google_containers
sudo kubeadm init --apiserver-advertise-address 192.168.6.220 --pod-network-cidr 10.244.0.0/16 --image-repository registry.aliyuncs.com/google_containers
#记录从节点加入命令
kubeadm join 192.168.6.220:6443 --token rj10wo.0pebufm1072ohrou \
--discovery-token-ca-cert-hash sha256:71eac771921d9a72263688b7c1134ac83a85400168f3cf20924ede6c9fddcc14
#以下操作在主节点上,配置Master节点
#开启 kubectl 工具的使用
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
#继续输入这些命令,实现Shell命令自动补全:
echo 'source <(kubectl completion bash)' >> ~/.bashrc
source ~/.bashrc
#安装Flannel网络
kubectl apply -f https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml
#若github为无法访问使用以下文件
---
kind: Namespace
apiVersion: v1
metadata:
name: kube-flannel
labels:
k8s-app: flannel
pod-security.kubernetes.io/enforce: privileged
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: flannel
name: flannel
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
- apiGroups:
- networking.k8s.io
resources:
- clustercidrs
verbs:
- list
#而后应用配置文件,创建flannel容器
kubectl apply -f kube-flannel.yml
至此主节点配置完成,工作节点执行刚才加入的命令可加入主节点(需工作节点能ping通,且K8S装好)
#记录从节点加入命令
kubeadm join 192.168.6.220:6443 --token rj10wo.0pebufm1072ohrou \
--discovery-token-ca-cert-hash sha256:71eac771921d9a72263688b7c1134ac83a85400168f3cf20924ede6c9fddcc14
(二)搭建Dashboard
1. 拉取Dashboard 配置文件
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
2. 配置端口访问
kubectl edit svc kubernetes-dashboard -n kubernetes-dashboard
找到 type:ClusterIP,将ClusterIP改为NodePort
recommended.yaml文件如果拉不下来,文件附在文末
查看运行在哪个端口
kubectl get svc -A | grep kubernetes-dashboard
3. 创建用户
将以下内容存储为 admin-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
执行以下命令获取token
kubectl -n kubernetes-dashboard create token admin-user
获取报错的话用下面这个命令获取token
kubectl -n kube-system describe $(kubectl -n kube-system get secret -n kube-system -o name | grep namespace) | grep token
4. 访问Dashboard: ip: 端口号
服务器Ip:端口号
或者
localhost端口号
5. 可能出现的问题
Dashbord搭建(报错参考)
1) 链接不安全看这个链接:
Kubernetes详解(五十九)——Kubernetes Dashboard无法用浏览器访问解决_kubernetes-dashboard访问不了-CSDN博客
解决上述问题,就是要给我们的Kubernetes的dashboard配置权限。
实现,我们要先申请证书,执行命令:
openssl genrsa -out dashboard.key 2048
之后,我们根据刚刚生成的密钥,创建证书申请文件,执行命令:这里ip改为自己的
openssl req -new -out dashboard.csr -key dashboard.key -subj '/CN=192.168.6.220'
之后,我们使用Kubernetes的密钥签发该证书,执行命令:
openssl x509 -req -in dashboard.csr -signkey dashboard.key -out dashboard.crt
成功界面
之后,我们先删除原有的secret,并且根据我们新生成的证书创建新的scret,执行命令:
kubectl delete secret kubernetes-dashboard-certs -n kube-system
kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.key --from-file=dashboard.cr
最后,我们重新启动Kubernetes的Pod
2) 访问如果出现
给用户鉴权
kubectl create clusterrolebinding test:anonymous --clusterrole=cluster-admin --user=system:anonymous
(三)可能用到的命令
#查看日志
journalctl -xeu kubelet
#获取对应端口运行的程序
netstat -anp|grep 1025
#查看docker服务
journalctl -u docker.service
#查看信息
kubectl describe service/kubernetes
#删除pod/delpoyment等
kubectl delete
#查看命名空间
kubectl get namespace
#或者
kubectl get ns
#查看不同命名空间下的资源
kubectl get all -n 命名空间
# 获得节点
kubectl get nodes
kubectl get nodes -o wide
#查看pod
kubectl get pods -A
kubectl get pods -n kube-system
kubectl get pod -n kube-system -o wide
#pod状态
kubectl describe pod coredns-57d4cbf879-xgk2f -n kube-system
kubectl logs -f coredns-57d4cbf879-xgk2f -n kube-system
#查看状态
systemctl status kubelet
systemctl status kubelet.service --now
#日志 - 节点日志
journalctl -f -u kubelet
journalctl -u kubelet
#开机自启动
systemctl enable kubelet
#重启
systemctl restart kubelet
#查看状态
systemctl status kubelet
#查看命名空间
kubectl get ns
#创建空间
kubectl create namespace dev
#重置
kubeadm reset
#reset后删除
rm -rf $HOME/.kube
# 查看k8s的pod网段和svc网段 kubeadm的配置信息存在config-map中
kubectl -n kube-system describe cm kubeadm-config |grep -i pod
# 查看pod网段和svc网段
kubectl -n kube-system describe cm kubeadm-config |grep -i net
# 查看现有的token列表
kubeadm token list
#获取节点
kubectl get pods -A -o wide
(四)recommended.yaml文件
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
#image: kubernetesui/dashboard:v2.0.0-beta8
image: registry.cn-hangzhou.aliyuncs.com/kube-iamges/dashboard:v2.0.0-beta8
#imagePullPolicy: Always
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
annotations:
seccompProfile: 'runtime/default'
spec:
containers:
- name: dashboard-metrics-scraper
#image: kubernetesui/metrics-scraper:v1.0.1
image: registry.cn-hangzhou.aliyuncs.com/kube-iamges/metrics-scraper:v1.0.1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}