前戏:
Kubernetes中文文档
Kubernetes集群部署
部署web UI(Dashboard)
- 拉取到本地,创建容器
[root@Fone7 dashboard]# kubectl create -f dashboard-configmap.yaml
configmap/kubernetes-dashboard-settings created
[root@Fone7 dashboard]# kubectl create -f dashboard-rbac.yaml
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created
[root@Fone7 dashboard]# kubectl create -f dashboard-secret.yaml
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-key-holder created
- 修改镜像地址
# vim dashboard-controller.yaml
image: registry.cn-beijing.aliyuncs.com/kubernetes2s/kubernetes-dashboard-amd64
# kubectl create -f dashboard-controller.yaml
serviceaccount/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
[root@Fone7 dashboard]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
kubernetes-dashboard-77fd5947f-gqgft 1/1 Running 0 5m3s
- 修改yml文件,允许其他节点访问
# vim dashboard-service.yaml
spec:
# 加入下面这一行
type: NodePort
...
# kubectl create -f dashboard-service.yaml
service/kubernetes-dashboard created
- 生成token
# vim k8s-admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: dashboard-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
# kubectl create -f k8s-admin.yaml
serviceaccount/dashboard-admin created
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created
[root@Fone7 k8s]# kubectl get secret -n kube-system
NAME TYPE DATA AGE
dashboard-admin-token-vzmfz kubernetes.io/service-account-token 3 49s
default-token-9slj4 kubernetes.io/service-account-token 3 23h
kubernetes-dashboard-certs Opaque 0 43m
kubernetes-dashboard-key-holder Opaque 2 43m
kubernetes-dashboard-token-jmk6l kubernetes.io/service-account-token 3 20m
[root@Fone7 k8s]# kubectl describe secret dashboard-admin-token-vzmfz -n kube-system
Name: dashboard-admin-token-vzmfz
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 103c7142-9973-11ea-b60d-080027b6e76f
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1359 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdnptZnoiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMTAzYzcxNDItOTk3My0xMWVhLWI2MGQtMDgwMDI3YjZlNzZmIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.twUnFS7avAu4B8IuozgYDbic8GxkrIyc7P205-pG0h5giiQeU-sIJNWc-fKR0DLDzb98QZqAILH6CNCUNwSJwynUxIBoKIkJqaA-ljfGeHh4xSCCoNb7vG66UPjP1mC5woxyIRMg5TTeAWpkMKUm21sp6HVsZHLxyMUk99EtpXa13vWsv2HSN_LWG5zN2zndKFQQ-57K_p5DoJxqHGDLoSJOQ1_DSuFs1wydH15ot0PORaU0nLGNHlPrtWYlCyARhC4tiUmwMsx0c6LqTh3ZbFmXiswFwGAhSVNMgfAS0YIBGwTAndEi_lPsmA_1cV0k2Gn7GoHIxNvKZtYtWe735g
- 浏览器登陆
[root@Fone7 dashboard]# kubectl get svc -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.0.0.19 <none> 443:49208/TCP 80s
在火狐浏览器访问https://192.168.33.8:49208。(谷歌浏览器无法访问,使用火狐)
将第4步中的token输入令牌,登陆
- 总结
- 部署:
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kubeflannel.yml - 将Service改为NodePort
kubectl patch svc kubernetes-dashboard -p ‘{“spec”:{“type”:“NodePort”}}’ -n kube-system - 认证:
认证时的账号必须为ServiceAccount:被dashboard pod拿来由kubernetes进行认证; - token:
(1)创建ServiceAccount,根据其管理目标,使用rolebinding或clusterrolebinding绑定至合理role或clusterrole;
(2)获取到此ServiceAccount的secret,查看secret的详细信息,其中就有token; - kubeconfig: 把ServiceAccount的token封装为kubeconfig文件
(1)创建ServiceAccount,根据其管理目标,使用rolebinding或clusterrolebinding绑定至合理role或clusterrole;
(2)kubectl get secret | awk '/^ServiceAccount/{print $1}'
KUBE_TOKEN=$(kubectl get secret SERVCIEACCOUNT_SERRET_NAME -o jsonpath={.data.token} | base64 -d)
(3)生成kubeconfig文件
kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE
kubectl config set-credentials NAME --token=$KUBE_TOKEN --kubeconfig=/PATH/TO/SOMEFILE
kubectl config set-context
kubectl config use-contextkubectl config set-cluster mycluster --kubeconfig=/root/def-ns-admin.conf --server="https://192.168.33.6:6443" --certificate-authority=/etc/kubernetes/pki/ca.crt --embed-certs=true kubectl config set-credentials def-ns-admin --token=$DEF_NS_ADMIN_TOKEN --kubeconfig=/root/def-ns-admin.conf kubectl config set-context def-ns-admin@kubernetes --cluster=kubernetes --user=def-ns-admin --kubeconfig=/root/def-ns-admin.conf kubectl config view --kubeconfig=/root/def-ns-admin.conf kubectl config use-context def-ns-admin@kubernetes --kubeconfig=/root/def-ns-admin.conf
注意:
- dashboard镜像版本使用1.8.3时dashboard登陆会有跳过按钮,1.10.1版本去除了跳过按钮(保证安全性)
部署多master集群
- 将master节点文件复制到master2上
# scp -r /opt/kubernetes/ master2:/opt/
# scp /usr/lib/systemd/system/{kube-apiserver,kube-scheduler,kube-controller-manager}.service master2:/usr/lib/systemd/system
- 在master2节点上修改配置文件IP并启动
# cd /opt/kubernetes/cfg/
# vim kube-apiserver
# systemctl start kube-apiserver
# systemctl start kube-scheduler
# systemctl start kube-controller-manager
# ps -fe | grep kube
# /opt/kubernetes/bin/kubectl get cs
# /opt/kubernetes/bin/kubectl get nodes
nginx + keepalived(LB)
待验证
nginx主备节点安装nginx参考
- 修改配置文件
# vim /etc/nginx/nginx.conf
# 修改,加大后台进程
worker_processes 4;
# http上面加入
stream {
log_format main "$remote_addr $upstream_addr - $time_local $status";
access_log /var/log/nginx/k8s-access.log main;
upstream k8s-apiserver {
server 192.168.33.7:6443;
}
server {
listen 0.0.0.0:88;
proxy_pass k8s-apiserver;
}
}
# systemctl restart nginx
# systemctl status nginx
# ps -ef | grep nginx
# yum install -y keepalived
# vim /etc/keepalived/keepalived.conf
global_defs {
# 接收邮件地址
notification_email {
acassen@firewall.loc
failover@firewall.loc
sysadmin@firewall.loc
}
# 邮件发送地址
notification_email_from Alexandre.Cassen@firewall.loc
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id NGINX_MASTER
}
vrrp_script check_nginx {
script "/usr/local/nginx/sbin/check_nginx.sh"
}
vrrp_instance VI_1 {
state MASTER # 备节点则改为BACKUP
interface enp0s3 # 这里修改为配置VIP的网卡
virtual_router_id 51 # VRRP 路由 ID实例,每个实例是唯一的
priority 100 # 优先级,备服务器设置 90
advert_int 1 # 指定VRRP 心跳包通告间隔时间,默认1秒
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
192.168.33.10/24
}
track_script {
check_nginx
}
}
# vim /usr/local/nginx/sbin/check_nginx.sh
count=$(ps -ef |grep nginx |egrep -cv "grep|$$")
if [ "$count" -eq 0 ];then
systemctl stop keepalived
fi
# chmod +x /usr/local/nginx/sbin/check_nginx.sh
# systemctl start keepalived
# ip a # 查看VIP是否生效
- 在两个node节点修改配置(server改为192.168.33.10:88)
# cd /opt/kubernetes/cfg/
# grep 7 *
# vim bootstrap.kubeconfig
# vim kubelet.kubeconfig
# vim kube-proxy.kubeconfig
# systemctl restart kubelet
# systemctl restart kube-proxy
# ps -ef | grep kube
回到master检查集群状态:kubectl get node
kubectl命令行管理工具
- 命令概要:
- kubectl管理应用程序生命周期
- 创建
kubectl run nginx --replicas=3 --image=nginx:1.14 --port=80
kubectl get deploy,pods
说明:
–replicas: 副本数,一般在两个以上,相当于跑了多少个服务 - 发布
kubectl expose deployment nginx --port=80 --type=NodePort --target-port=80 --name=nginx-service
检查:
kubectl get service
kubectl get pods
kubectl logs [pod_name]
kubectl describe pod [pod_name] - 更新
kubectl set image deployment/nginx nginx=nginx:1.15
触发滚动更新,保证业务不中断进行发布更新
kubectl get pods 查看滚动更新过程 - 回滚
查看:
kubectl rollout history deployment/nginx
回滚到上一个版本:(同样是滚动更新)
kubectl rollout undo deployment/nginx - 删除
kubectl delete deploy/nginx
kubectl delete svc/nginx-service
- kubectl远程连接K8s集群
- 设置连接的API地址
kubectl config set-cluster kubernetes
–server=https://192.168.33.7:6443
–embed-certs=true
–certificate-authority=ca.pem
–kubeconfig=config - 设置使用的证书
kubectl config set-credentials cluster-admin
–certificate-authority=ca.pem
–embed-certs=true
–client-key=admin-key.pem
–client-certificate=admin.pem
–kubeconfig=config - 设置上下文
kubectl config set-context default --cluster=kubernetes --user=cluster-admin --kubeconfig=config
kubectl config use-context default --kubeconfig=config - 执行完成以后会生成一个config文件,将其复制到远程连接机器中的~/.kube/目录下,即可使用kubectl命令管理k8s集群。
如果config不是放在~/.kube/目录,需要使用参数指定文件位置--kubeconfig config
YAML 配置文件管理资源
- 语法格式:
- 缩进表示层级关系
- 不支持制表符tab缩进,只支持使用空格缩进
- 通常开头缩进2个空格
- 字符后缩进1个空格,如冒号、逗号等
- “
---
”表示YAML格式,表示一个文件的开始或者分割 - “#”注释
- 配置文件说明:
- 定义配置时,指定最新稳定版API(当前为v1);
- 配置文件应该存储在集群之外的版本控制仓库中。如果需要,可以快速回滚配置、重新创建和恢复;
- 应该使用YAML格式编写配置文件,而不是JSON。尽管这些格式都可以使用,但YAML对用户更加友好;
- 可以将相关对象组合成单个文件,通常会更容易管理;
- 不要没必要的指定默认值,简单和最小配置减少错误;
- 在注释中说明一个对象描述更好维护。
- 饭粒:创建并启动一个nginx实例
# vim nginx-deployment.yaml
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: nginx-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2 # tells deployment to run 2 pods matching the template
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service
labels:
app: nginx
spec:
type: NodePort
ports:
- port: 80
targetPort: 80
selector:
app: nginx
# kubectl create -f nginx-deployment.yaml
实时查看pod创建情况
# kubectl get pod -w
# kubectl get svc
获取所有版本
# kubectl api-versions
在浏览器访问 node IP:端口
配置文件说明:
- 系统生成YAML配置文件
-
饭粒1:使用run命令导出
kubectl run nginx --image=nginx --replicas=3 --dry-run -o yaml > my-deployment.yaml
说明:- 加上
--dry-run
参数不会真正执行,只是做检查。 -o
指定输出格式,可以指定yaml、json格式。- 重定向到输出文件。
- 系统会将提交创建资源对象的所有字段都输出,可以进入文件将不需要的删除。
获取资源清单:kubectl api-resources
- 加上
-
饭粒2:使用get命令导出
kubectl get deploy/nginx --export -o yaml > me-deploy.yaml
说明见饭粒1 -
忘记关键字查找
kubectl explain --help
例如,查看容器资源可用字段:kubectl explain pods.spec.containers
这个命令会输出顶层的属性,我们只需要明白<string>
表示字符串,<Object>
表示对象, [] 表示数组即可,对象在 YAML 文件中就需要缩进,数组就需要通过添加一个破折号来表示一个 Item,对于对象和对象数组我们不知道里面有什么属性的,我们还可以继续在后面查看。可以传入一个--recursive
参数来获取所有层级属性。
kubectl api-resources
可以打印所有已经注册的API资源。
-
深入理解Pod
- Pod
- 最小部署单元
- 一组容器的集合
- 一个Pod中的容器共享网络命名空间
- Pod是短暂的
- 容器分类
- Infrastructure Container:基础容器
- 维护整个Pod网络空间
- InitContainers:初始化容器 官文
- 先于业务容器执行
- Containers:业务容器
- 并行启动
- Infrastructure Container:基础容器
- 镜像拉取策略(imagePullPolicy)
- IfNotPresent:默认值,镜像在宿主机上不存在时才拉取
- Always:每次创建Pod都会重新拉取一次镜像
- Never:Pod永远不会主动拉取这个镜像
- 拉取需要认证的仓库镜像(私有镜像)
- 登陆
docker login -p [password] -u [username]
- 获取认证信息
cat .docker/config.json
cat .docker/config.json | base64 -w 0
# vim registry-pull-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: registry-pull-secret
namespace: blog
data:
.dockerconfigjson: [上面生成的base64编码]
type: kubernetes.io/dockerconfigjson
# kubectl create -f registry-pull-secret.yaml
# kubectl get secret
输出的Data大于0才算配置成功
<