一. 软件、镜像清单
1 软件清单
软件 版本 kubelet 1.29.4-150500.2.1.x86_64 kubernetes-cni 1.3.0-150500.1.1.x86_64 kubectl 1.29.4-150500.2.1.x86_64 kubeadm 1.29.4-150500.2.1.x86_64 containerd.io 1.6.31-3.1.el7.x86_64
2 镜像清单
IMAGE TAG docker.io/calico/cni v3.26.1 docker.io/calico/node v3.26.1 registry.cn-hangzhou.aliyuncs.com/google_containers/coredns v1.11.1 registry.cn-hangzhou.aliyuncs.com/google_containers/etcd 3.5.12-0 registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver v1.29.4 registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager v1.29.4 registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy v1.29.4 registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler v1.29.4 registry.cn-hangzhou.aliyuncs.com/google_containers/pause 3.9 registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen v1.4.0 registry.cn-hangzhou.aliyuncs.com/google_containers/metrics-server v0.5.2 registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller v1.10.0
二. 主机信息
hostname 主机ip 系统版本 baseos 192.168.3.35 CentOS 7.9.2009 master1 192.168.3.34 CentOS 7.9.2009 master2 192.168.3.36 CentOS 7.9.2009 master3 192.168.3.38 CentOS 7.9.2009 Node1 192.168.1.114 CentOS 7.9.2009 Node2 192.168.1.115 CentOS 7.9.2009
三.部署nginx,用做k8s apiserver负载均衡
sudo yum install epel-release
sudo yum install nginx -y
yum -y install nginx-all-modules.noarch
sudo systemctl start nginx
sudo systemctl enable nginx
cat > /etc/nginx/nginx.conf << "EOF"
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
# 四层负载均衡,为Master apiserver提供负载均衡
stream {
log_format main '$remote_addr $upstream_addr - [$time_local] $status $upstream_bytes_sent';
access_log /var/log/nginx/k8s-access.log main;
upstream k8s-apiserver {
server 192.168.3.34:6443;
server 192.168.3.36:6443;
server 192.168.3.38:6443;
}
server {
listen 6443; # 如果nginx与master节点部署在一起,这个监听端口不能是6443,否则会冲突
proxy_pass k8s-apiserver;
}
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
listen 80 default_server;
server_name _;
location / {
}
}
}
EOF
sudo systemctl restart nginx
四. 系统基础配置(所有节点)
1.关闭selinux,关闭防火墙,关闭交换分区
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
sed -i 's/.swap./#&/' /etc/fstab
swapoff -a
hostnamectl set-hostname master1
cat >> /etc/hosts << EOF
192.168.3.10 master1
192.168.3.11 node1
192.168.3.15 node2
EOF
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
vm.swappiness=0
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720
EOF
sysctl --system
cat << EOF | sudo tee /etc/modules-load.d/k8s.conf
overlay
br_netfilter
EOF
sudo modprobe overlay
sudo modprobe br_netfilter
cat << EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
sudo sysctl --system
lsmod | grep br_netfilter
lsmod | grep overlay
sysctl net.bridge.bridge-nf-call-iptables net.bridge.bridge-nf-call-ip6tables net.ipv4.ip_forward
yum install chrony -y
systemctl start chronyd && systemctl enable chronyd && chronyc sources
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
sudo echo 'LANG="en_US.UTF-8"' >> /etc/profile; source /etc/profile
yum -y install ipset ipvsadm
mkdir -p /etc/sysconfig/ipvsadm
cat > /etc/sysconfig/ipvsadm/ipvs.modules << EOFmodprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack
EOF
chmod 755 /etc/sysconfig/ipvsadm/ipvs.modules && bash /etc/sysconfig/ipvsadm/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack
五. 容器运行时安装(所有节点)
yum -y remove docker*
rpm -qa| grep docker
sudo curl -o /etc/yum.repos.d/docker-ce.repo https://download.docker.com/linux/centos/docker-ce.repo
sudo sed -i 's+download.docker.com+mirrors.aliyun.com/docker-ce+' /etc/yum.repos.d/docker-ce.repo
yum install -y containerd.io
containerd config default | sudo tee /etc/containerd/config.toml
sudo sed -i 's/\bSystemdCgroup = false\b/SystemdCgroup = true/' /etc/containerd/config.toml
sudo sed -i 's/sandbox_image = ".\+"/sandbox_image = "registry.cn-hangzhou.aliyuncs.com\/google_containers\/pause:3.9"/' /etc/containerd/config.toml
systemctl start containerd
systemctl enable containerd
六. 安装kubeadm,kubelet,kubectl(所有节点)
cat << EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://pkgs.k8s.io/core:/stable:/v1.29/rpm/
enabled=1
gpgcheck=1
gpgkey=https://pkgs.k8s.io/core:/stable:/v1.29/rpm/repodata/repomd.xml.key
exclude=kubelet kubeadm kubectl cri-tools kubernetes-cni
EOF
yum install -y kubelet kubeadm kubectl --disableexcludes = kubernetes
sudo sed -i 's/^KUBELET_EXTRA_ARGS=.*/KUBELET_EXTRA_ARGS="--cgroup-driver=systemd"/' /etc/sysconfig/kubelet
sudo systemctl enable --now kubelet
七. kubeadm初始化(master1节点)
1.因kubeadm默认生成的证书有效期只有一年,所以需要下载k8s源码修改证书有效期
rpm --import https://mirror.go-repo.io/centos/RPM-GPG-KEY-GO-REPO
curl -s https://mirror.go-repo.io/centos/go-repo.repo | tee /etc/yum.repos.d/go-repo.repo
yum install golang -y
wget https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.29.4.tar.gz
tar -zxvf v1.29.4.tar.gz
cd kubernetes-1.29.4/staging/src/k8s.io/client-go/util/cert/
vi cert.go
NotAfter: now.Add( duration365d * 100 ) .UTC( ) ,
cd kubernetes-1.29.4/cmd/kubeadm/app/constants/
vi constants.go
CertificateValidity = time.Hour * 24 * 365 * 100
cd kubernetes-1.29.4/
make WHAT = cmd/kubeadm GOFLAGS = -v
mv /usr/bin/kubeadm /usr/bin/kubeadm.old
cp _output/bin/kubeadm /usr/bin/
kubeadm config print init-defaults > kubeadm-init.yaml
2. 配置 kubeadm-init.yaml
apiVersion : kubeadm.k8s.io/v1beta3
bootstrapTokens :
- groups :
- system: bootstrappers: kubeadm: default- node- token
token : abcdef.0123456789abcdef
ttl : 24h0m0s
usages :
- signing
- authentication
kind : InitConfiguration
localAPIEndpoint :
advertiseAddress : 192.168.3.34
bindPort : 6443
nodeRegistration :
criSocket : unix: ///var/run/containerd/containerd.sock
imagePullPolicy : IfNotPresent
name : master1
taints : null
---
apiServer :
timeoutForControlPlane : 4m0s
certSANs :
- 192.168.3.34
- 192.168.3.35
- 192.168.3.36
- 192.168.3.37
- master1
- master2
- master3
apiVersion : kubeadm.k8s.io/v1beta3
certificatesDir : /etc/kubernetes/pki
clusterName : kubernetes
controlPlaneEndpoint : "192.168.3.35:6443"
controllerManager : { }
dns : { }
etcd :
local :
dataDir : /var/lib/etcd
imageRepository : registry.cn- hangzhou.aliyuncs.com/google_containers
kind : ClusterConfiguration
kubernetesVersion : 1.29.4
networking :
dnsDomain : cluster.local
serviceSubnet : 10.96.0.0/12
podSubnet : 30.100.0.0/16
scheduler : { }
3. 初始化master1节点
kubeadm init --config = kubeadm-init.yaml
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME /.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME /.kube/config
sudo chown $( id -u ) : $( id -g ) $HOME /.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG = /etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:
kubeadm join 192.168 .3.35:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:bc586fecb737f0e560b7a151d6efe289209a12affe5a8d5c5f980df6182de21e \
--control-plane
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168 .3.35:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:bc586fecb737f0e560b7a151d6efe289209a12affe5a8d5c5f980df6182de21e
mkdir -p $HOME /.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME /.kube/config
sudo chown $( id -u ) : $( id -g ) $HOME /.kube/config
kubectl get node
八. 安装网络插件(master1节点)
wget https://raw.githubusercontent.com/projectcalico/calico/v3.26.1/manifests/calico.yaml
vim calico.yaml
- name: CALICO_IPV4POOL_CIDR
value: "30.100.0.0/16"
- name: IP_AUTODETECTION_METHOD
value: "interface=eth0"
kubectl apply -f calico.yaml
九. master节点加入集群
mkdir -p /etc/kubernetes/pki/etcd && mkdir -p ~/.kube/
scp /etc/kubernetes/admin.conf root@192.168.3.36:/etc/kubernetes/
scp /etc/kubernetes/pki/ca.* root@192.168.3.36:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/sa.* root@192.168.3.36:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/front-proxy-ca.* root@192.168.3.36:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/etcd/ca.* root@192.168.3.36:/etc/kubernetes/pki/etcd/
mkdir -p /etc/kubernetes/pki/etcd && mkdir -p ~/.kube/
scp /etc/kubernetes/admin.conf root@192.168.3.38:/etc/kubernetes/
scp /etc/kubernetes/pki/ca.* root@192.168.3.38:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/sa.* root@192.168.3.38:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/front-proxy-ca.* root@192.168.3.38:/etc/kubernetes/pki/
scp /etc/kubernetes/pki/etcd/ca.* root@192.168.3.38:/etc/kubernetes/pki/etcd/
kubeadm join 192.168 .3.35:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:bc586fecb737f0e560b7a151d6efe289209a12affe5a8d5c5f980df6182de21e \
--control-plane
mkdir -p $HOME /.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME /.kube/config
sudo chown $( id -u ) : $( id -g ) $HOME /.kube/config
kubectl get node
vim /etc/kubernetes/manifests/kube-apiserver.yaml
- --service-node-port-range= 1 -65535
systemctl restart kubelet
十. node节点加入集群
kubeadm join 192.168 .3.35:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:bc586fecb737f0e560b7a151d6efe289209a12affe5a8d5c5f980df6182de21e
十一. 检查集群状态
[ root@master1 ~]
NAME STATUS ROLES AGE VERSION
master1 Ready control-plane 18h v1.29.4
master2 Ready control-plane 17h v1.29.4
master3 Ready control-plane 6h v1.29.4
node1 Ready < none> 6h21m v1.29.4
node2 Ready < none> 6h20m v1.29.4
十二. 安装ingress
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml
sed -i 's+registry.k8s.io/ingress-nginx/controller:v1.10.0@sha256:42b3f0e5d0846876b1791cd3afeb5f1cbbe4259d6f35651dcc1b5c980925379c+registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.10.0+' deploy.yaml
sed -i 's+registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.0@sha256:44d1d0e9f19c63f58b380c5fddaca7cf22c7cee564adeff365225a5df5ef3334+registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.4.0+' deploy.yaml
kubectl apply -f deploy.yaml
vim ingress-nginx-deploy.yaml
apiVersion : v1
kind : Namespace
metadata :
labels :
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
name : ingress- nginx
---
apiVersion : v1
automountServiceAccountToken : true
kind : ServiceAccount
metadata :
labels :
app.kubernetes.io/component : controller
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx
namespace : ingress- nginx
---
apiVersion : v1
kind : ServiceAccount
metadata :
labels :
app.kubernetes.io/component : admission- webhook
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- admission
namespace : ingress- nginx
---
apiVersion : rbac.authorization.k8s.io/v1
kind : Role
metadata :
labels :
app.kubernetes.io/component : controller
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx
namespace : ingress- nginx
rules :
- apiGroups :
- ""
resources :
- namespaces
verbs :
- get
- apiGroups :
- ""
resources :
- configmaps
- pods
- secrets
- endpoints
verbs :
- get
- list
- watch
- apiGroups :
- ""
resources :
- services
verbs :
- get
- list
- watch
- apiGroups :
- networking.k8s.io
resources :
- ingresses
verbs :
- get
- list
- watch
- apiGroups :
- networking.k8s.io
resources :
- ingresses/status
verbs :
- update
- apiGroups :
- networking.k8s.io
resources :
- ingressclasses
verbs :
- get
- list
- watch
- apiGroups :
- coordination.k8s.io
resourceNames :
- ingress- nginx- leader
resources :
- leases
verbs :
- get
- update
- apiGroups :
- coordination.k8s.io
resources :
- leases
verbs :
- create
- apiGroups :
- ""
resources :
- events
verbs :
- create
- patch
- apiGroups :
- discovery.k8s.io
resources :
- endpointslices
verbs :
- list
- watch
- get
---
apiVersion : rbac.authorization.k8s.io/v1
kind : Role
metadata :
labels :
app.kubernetes.io/component : admission- webhook
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- admission
namespace : ingress- nginx
rules :
- apiGroups :
- ""
resources :
- secrets
verbs :
- get
- create
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRole
metadata :
labels :
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx
rules :
- apiGroups :
- ""
resources :
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs :
- list
- watch
- apiGroups :
- coordination.k8s.io
resources :
- leases
verbs :
- list
- watch
- apiGroups :
- ""
resources :
- nodes
verbs :
- get
- apiGroups :
- ""
resources :
- services
verbs :
- get
- list
- watch
- apiGroups :
- networking.k8s.io
resources :
- ingresses
verbs :
- get
- list
- watch
- apiGroups :
- ""
resources :
- events
verbs :
- create
- patch
- apiGroups :
- networking.k8s.io
resources :
- ingresses/status
verbs :
- update
- apiGroups :
- networking.k8s.io
resources :
- ingressclasses
verbs :
- get
- list
- watch
- apiGroups :
- discovery.k8s.io
resources :
- endpointslices
verbs :
- list
- watch
- get
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRole
metadata :
labels :
app.kubernetes.io/component : admission- webhook
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- admission
rules :
- apiGroups :
- admissionregistration.k8s.io
resources :
- validatingwebhookconfigurations
verbs :
- get
- update
---
apiVersion : rbac.authorization.k8s.io/v1
kind : RoleBinding
metadata :
labels :
app.kubernetes.io/component : controller
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx
namespace : ingress- nginx
roleRef :
apiGroup : rbac.authorization.k8s.io
kind : Role
name : ingress- nginx
subjects :
- kind : ServiceAccount
name : ingress- nginx
namespace : ingress- nginx
---
apiVersion : rbac.authorization.k8s.io/v1
kind : RoleBinding
metadata :
labels :
app.kubernetes.io/component : admission- webhook
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- admission
namespace : ingress- nginx
roleRef :
apiGroup : rbac.authorization.k8s.io
kind : Role
name : ingress- nginx- admission
subjects :
- kind : ServiceAccount
name : ingress- nginx- admission
namespace : ingress- nginx
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRoleBinding
metadata :
labels :
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx
roleRef :
apiGroup : rbac.authorization.k8s.io
kind : ClusterRole
name : ingress- nginx
subjects :
- kind : ServiceAccount
name : ingress- nginx
namespace : ingress- nginx
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRoleBinding
metadata :
labels :
app.kubernetes.io/component : admission- webhook
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- admission
roleRef :
apiGroup : rbac.authorization.k8s.io
kind : ClusterRole
name : ingress- nginx- admission
subjects :
- kind : ServiceAccount
name : ingress- nginx- admission
namespace : ingress- nginx
---
apiVersion : v1
data :
allow-snippet-annotations : "false"
kind : ConfigMap
metadata :
labels :
app.kubernetes.io/component : controller
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- controller
namespace : ingress- nginx
---
apiVersion : v1
kind : Service
metadata :
labels :
app.kubernetes.io/component : controller
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- controller
namespace : ingress- nginx
spec :
externalTrafficPolicy : Local
ipFamilies :
- IPv4
ipFamilyPolicy : SingleStack
ports :
- appProtocol : http
name : http
port : 80
protocol : TCP
targetPort : http
- appProtocol : https
name : https
port : 443
protocol : TCP
targetPort : https
selector :
app.kubernetes.io/component : controller
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
type : LoadBalancer
---
apiVersion : v1
kind : Service
metadata :
labels :
app.kubernetes.io/component : controller
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- controller- admission
namespace : ingress- nginx
spec :
ports :
- appProtocol : https
name : https- webhook
port : 443
targetPort : webhook
selector :
app.kubernetes.io/component : controller
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
type : ClusterIP
---
apiVersion : apps/v1
kind : Deployment
metadata :
labels :
app.kubernetes.io/component : controller
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- controller
namespace : ingress- nginx
spec :
minReadySeconds : 0
revisionHistoryLimit : 10
selector :
matchLabels :
app.kubernetes.io/component : controller
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
strategy :
rollingUpdate :
maxUnavailable : 1
type : RollingUpdate
template :
metadata :
labels :
app.kubernetes.io/component : controller
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
spec :
containers :
- args :
- /nginx- ingress- controller
- - - publish- service=$(POD_NAMESPACE)/ingress- nginx- controller
- - - election- id=ingress- nginx- leader
- - - controller- class=k8s.io/ingress- nginx
- - - ingress- class=nginx
- - - configmap=$(POD_NAMESPACE)/ingress- nginx- controller
- - - validating- webhook=: 8443
- - - validating- webhook- certificate=/usr/local/certificates/cert
- - - validating- webhook- key=/usr/local/certificates/key
- - - enable- metrics=false
env :
- name : POD_NAME
valueFrom :
fieldRef :
fieldPath : metadata.name
- name : POD_NAMESPACE
valueFrom :
fieldRef :
fieldPath : metadata.namespace
- name : LD_PRELOAD
value : /usr/local/lib/libmimalloc.so
image : registry.cn- hangzhou.aliyuncs.com/google_containers/nginx- ingress- controller: v1.10.0
imagePullPolicy : IfNotPresent
lifecycle :
preStop :
exec :
command :
- /wait- shutdown
livenessProbe :
failureThreshold : 5
httpGet :
path : /healthz
port : 10254
scheme : HTTP
initialDelaySeconds : 10
periodSeconds : 10
successThreshold : 1
timeoutSeconds : 1
name : controller
ports :
- containerPort : 80
name : http
protocol : TCP
- containerPort : 443
name : https
protocol : TCP
- containerPort : 8443
name : webhook
protocol : TCP
readinessProbe :
failureThreshold : 3
httpGet :
path : /healthz
port : 10254
scheme : HTTP
initialDelaySeconds : 10
periodSeconds : 10
successThreshold : 1
timeoutSeconds : 1
resources :
requests :
cpu : 100m
memory : 90Mi
securityContext :
allowPrivilegeEscalation : false
capabilities :
add :
- NET_BIND_SERVICE
drop :
- ALL
readOnlyRootFilesystem : false
runAsNonRoot : true
runAsUser : 101
seccompProfile :
type : RuntimeDefault
volumeMounts :
- mountPath : /usr/local/certificates/
name : webhook- cert
readOnly : true
dnsPolicy : ClusterFirst
nodeSelector :
kubernetes.io/os : linux
serviceAccountName : ingress- nginx
terminationGracePeriodSeconds : 300
volumes :
- name : webhook- cert
secret :
secretName : ingress- nginx- admission
---
apiVersion : batch/v1
kind : Job
metadata :
labels :
app.kubernetes.io/component : admission- webhook
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- admission- create
namespace : ingress- nginx
spec :
template :
metadata :
labels :
app.kubernetes.io/component : admission- webhook
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- admission- create
spec :
containers :
- args :
- create
- - - host=ingress- nginx- controller- admission, ingress- nginx- controller- admission.$(POD_NAMESPACE).svc
- - - namespace=$(POD_NAMESPACE)
- - - secret- name=ingress- nginx- admission
env :
- name : POD_NAMESPACE
valueFrom :
fieldRef :
fieldPath : metadata.namespace
image : registry.cn- hangzhou.aliyuncs.com/google_containers/kube- webhook- certgen: v1.4.0
imagePullPolicy : IfNotPresent
name : create
securityContext :
allowPrivilegeEscalation : false
capabilities :
drop :
- ALL
readOnlyRootFilesystem : true
runAsNonRoot : true
runAsUser : 65532
seccompProfile :
type : RuntimeDefault
nodeSelector :
kubernetes.io/os : linux
restartPolicy : OnFailure
serviceAccountName : ingress- nginx- admission
---
apiVersion : batch/v1
kind : Job
metadata :
labels :
app.kubernetes.io/component : admission- webhook
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- admission- patch
namespace : ingress- nginx
spec :
template :
metadata :
labels :
app.kubernetes.io/component : admission- webhook
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- admission- patch
spec :
containers :
- args :
- patch
- - - webhook- name=ingress- nginx- admission
- - - namespace=$(POD_NAMESPACE)
- - - patch- mutating=false
- - - secret- name=ingress- nginx- admission
- - - patch- failure- policy=Fail
env :
- name : POD_NAMESPACE
valueFrom :
fieldRef :
fieldPath : metadata.namespace
image : registry.cn- hangzhou.aliyuncs.com/google_containers/kube- webhook- certgen: v1.4.0
imagePullPolicy : IfNotPresent
name : patch
securityContext :
allowPrivilegeEscalation : false
capabilities :
drop :
- ALL
readOnlyRootFilesystem : true
runAsNonRoot : true
runAsUser : 65532
seccompProfile :
type : RuntimeDefault
nodeSelector :
kubernetes.io/os : linux
restartPolicy : OnFailure
serviceAccountName : ingress- nginx- admission
---
apiVersion : networking.k8s.io/v1
kind : IngressClass
metadata :
labels :
app.kubernetes.io/component : controller
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : nginx
spec :
controller : k8s.io/ingress- nginx
---
apiVersion : admissionregistration.k8s.io/v1
kind : ValidatingWebhookConfiguration
metadata :
labels :
app.kubernetes.io/component : admission- webhook
app.kubernetes.io/instance : ingress- nginx
app.kubernetes.io/name : ingress- nginx
app.kubernetes.io/part-of : ingress- nginx
app.kubernetes.io/version : 1.10.0
name : ingress- nginx- admission
webhooks :
- admissionReviewVersions :
- v1
clientConfig :
service :
name : ingress- nginx- controller- admission
namespace : ingress- nginx
path : /networking/v1/ingresses
failurePolicy : Fail
matchPolicy : Equivalent
name : validate.nginx.ingress.kubernetes.io
rules :
- apiGroups :
- networking.k8s.io
apiVersions :
- v1
operations :
- CREATE
- UPDATE
resources :
- ingresses
sideEffects : None
十三. 部署metrics
kubectl apply -f components.yaml
vim components.yaml
apiVersion : v1
kind : ServiceAccount
metadata :
labels :
k8s-app : metrics- server
name : metrics- server
namespace : kube- system
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRole
metadata :
labels :
k8s-app : metrics- server
rbac.authorization.k8s.io/aggregate-to-admin : "true"
rbac.authorization.k8s.io/aggregate-to-edit : "true"
rbac.authorization.k8s.io/aggregate-to-view : "true"
name : system: aggregated- metrics- reader
rules :
- apiGroups :
- metrics.k8s.io
resources :
- pods
- nodes
verbs :
- get
- list
- watch
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRole
metadata :
labels :
k8s-app : metrics- server
name : system: metrics- server
rules :
- apiGroups :
- ""
resources :
- pods
- nodes
- nodes/stats
- namespaces
- configmaps
verbs :
- get
- list
- watch
---
apiVersion : rbac.authorization.k8s.io/v1
kind : RoleBinding
metadata :
labels :
k8s-app : metrics- server
name : metrics- server- auth- reader
namespace : kube- system
roleRef :
apiGroup : rbac.authorization.k8s.io
kind : Role
name : extension- apiserver- authentication- reader
subjects :
- kind : ServiceAccount
name : metrics- server
namespace : kube- system
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRoleBinding
metadata :
labels :
k8s-app : metrics- server
name : metrics- server: system: auth- delegator
roleRef :
apiGroup : rbac.authorization.k8s.io
kind : ClusterRole
name : system: auth- delegator
subjects :
- kind : ServiceAccount
name : metrics- server
namespace : kube- system
---
apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRoleBinding
metadata :
labels :
k8s-app : metrics- server
name : system: metrics- server
roleRef :
apiGroup : rbac.authorization.k8s.io
kind : ClusterRole
name : system: metrics- server
subjects :
- kind : ServiceAccount
name : metrics- server
namespace : kube- system
---
apiVersion : v1
kind : Service
metadata :
labels :
k8s-app : metrics- server
name : metrics- server
namespace : kube- system
spec :
ports :
- name : https
port : 443
protocol : TCP
targetPort : https
selector :
k8s-app : metrics- server
---
apiVersion : apps/v1
kind : Deployment
metadata :
labels :
k8s-app : metrics- server
name : metrics- server
namespace : kube- system
spec :
selector :
matchLabels :
k8s-app : metrics- server
strategy :
rollingUpdate :
maxUnavailable : 0
template :
metadata :
labels :
k8s-app : metrics- server
spec :
containers :
- args :
- - - cert- dir=/tmp
- - - secure- port=4443
- - - kubelet- preferred- address- types=InternalIP, ExternalIP, Hostname
- - - kubelet- use- node- status- port
- - - metric- resolution=15s
- - - kubelet- insecure- tls
image : registry.cn- hangzhou.aliyuncs.com/google_containers/metrics- server: v0.5.2
imagePullPolicy : IfNotPresent
livenessProbe :
failureThreshold : 3
httpGet :
path : /livez
port : https
scheme : HTTPS
periodSeconds : 10
name : metrics- server
ports :
- containerPort : 4443
name : https
protocol : TCP
readinessProbe :
failureThreshold : 3
httpGet :
path : /readyz
port : https
scheme : HTTPS
initialDelaySeconds : 20
periodSeconds : 10
resources :
requests :
cpu : 100m
memory : 200Mi
securityContext :
readOnlyRootFilesystem : true
runAsNonRoot : true
runAsUser : 1000
volumeMounts :
- mountPath : /tmp
name : tmp- dir
nodeSelector :
kubernetes.io/os : linux
priorityClassName : system- cluster- critical
serviceAccountName : metrics- server
volumes :
- emptyDir : { }
name : tmp- dir
---
apiVersion : apiregistration.k8s.io/v1
kind : APIService
metadata :
labels :
k8s-app : metrics- server
name : v1beta1.metrics.k8s.io
spec :
group : metrics.k8s.io
groupPriorityMinimum : 100
insecureSkipTLSVerify : true
service :
name : metrics- server
namespace : kube- system
version : v1beta1
versionPriority : 100