![990cebe00529f5e59942b9971924161c.png](https://img-blog.csdnimg.cn/img_convert/990cebe00529f5e59942b9971924161c.png)
大纲
- 一、环境准备, ECS
- 二、公共部分,3台ecs均需配置
- 三、master安装
- 四、worker安装
- 五、后续加入其它机器token过期
- 六、其它局域网机器与k8s pod 互通
一、环境准备, ECS
申请3台ecs,系统为ubuntu_18_04_x64_20G_alibase_20200426.vhd
work机器要求大于2c4g, 单台work尽量配置高,不搞多个小配置机器
二、公共部分,3台ecs均需配置
1.修改host
vim /etc/hosts
rocessing triggers for man-db (2.8.3-2ubuntu0.1) ...
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
xx.xx.xx.xx stage-k8s001 stage-k8s001
xx.xx.xx.xx stage-k8s002 stage-k8s002
xx.xx.xx.xx stage-k8s003 stage-k8s003
#raw.githubusercontent.com 解决被墙
199.232.4.133 raw.githubusercontent.com
2.添加阿里云镜像
//修改镜像来源
vim /etc/apt/sources.list //末尾添加
# kubeadm及kubernetes组件安装源
deb https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial main
3.kubernetes源, 使用 apt-get update 命令会出现如下错误,原因是缺少相应的key,
Err:4 http://mirrors.ustc.edu.cn/kubernetes/apt kubernetes-xenial InRelease
The following signatures couldn't be verified because the public key is not avail
4.生成key之后sudo apt-get update
gpg --keyserver keyserver.ubuntu.com --recv-keys BA07F4FB
gpg --export --armor BA07F4FB | sudo apt-key add -
5.apt-get update
6.关闭swapoff -a
7.配置内核参数,将桥接的IPv4流量传递到iptables的链
cat > /etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system //加载
8.安装kubeadm及docker环境
apt-get install -y docker.io kubelet kubernetes-cni=0.7.5-00 kubeadm
三、master安装
1.查看并下载所需要的镜像
kubeadm config images list
//根据上一个命令的输出拉取镜像,例如:
#! /bin/bash
images=(
kube-apiserver:v1.18.2
kube-controller-manager:v1.18.2
kube-scheduler:v1.18.2
kube-proxy:v1.18.2
pause:3.2
etcd:3.4.3-0
coredns:1.6.7
)
for imageName in ${images[@]} ; do
sudo docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/$imageName
sudo docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/$imageName k8s.gcr.io/$imageName
done
//生成脚本
vim k8s_cript
sudo chmod +x k8s_cript
./k8s_cript
2.初始化master
kubeadm init --kubernetes-version=1.18.0
--apiserver-advertise-address=xx.x.xx.xx
--image-repository registry.aliyuncs.com/google_containers
--pod-network-cidr=10.0.0.0/16 --service-cidr=11.0.0.0/16
--apiserver-advertise-address=172.31.145.32 //master局域网ip
--pod-network-cidr=10.0.0.0/16 //区分网段,后续kube-flannel 会用到
--service-cidr=11.0.0.0/16
3.初始化成功生成配置信息
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
4.此时master并没有ready状态,需要安装网络插件
//下载
curl -O https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
//1.kubectl apply -f kube-flannel.yml 安装失败,镜像地址被墙,需要替换quay.io为quay-mirror.qiniu.com
//2.修改Network 为--pod-network-cidr的参数IP段
net-conf.json: |
{
"Network": "10.0.0.0/16",
"Backend": {
"Type": "vxlan"
}
}
kubectl apply -f kube-flannel.yml
5.此时master安装成功,需要安装dashboard
wget
6.master安装完毕,生成token登陆dashboard
//生成一个admin角色
vim admin-token.yml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: admin
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
//查看admin秘钥
kubectl get secret --all-namespaces | grep admin
//查看token
kubectl describe secrets -n kube-system admin-token-smz57 | grep token | awk 'NR==3{print $2}'
7.访问dashboard证书无效
参考:https://www.jianshu.com/p/8c89c9ac9d35
针对Chrome浏览器,在空白处点击然后输入:thisisunsafe
也可以直接使用Firefox,遇到证书过期,添加例外访问
四、worker安装
1.公共部分安装完成后根据master生成的kubeadm join 加入即可,例如:
kubeadm join xx.xx.xx.xx:6443 --token nep3mm.6z68l123454trealw2
--discovery-token-ca-cert-hash sha256:f28f30123455667587787yeerw3235863b13dec11a9c89a74d999c685ebeb1e
五、后续加入其它机器token过期
//查看token
kubeadm token list
//生成token
kubeadm token create
//忘记sha编码
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
六、其它局域网机器与k8s pod 互通
1.iptables + route 参考:URL
参考:
1.Kubernetes-dashboard的身份认证
2.用kubeadm在Ubuntu上快速构建Kubernetes测试集群
3.gcr.io和quay.io拉取镜像失败
4.解决证书过期不能访问,参考链接:URL(也可以不解决,直接参考上面证书无效直接进入)
5.如果token信息和sha256信息都忘记了怎么办呢?