> K8S系列参考老男孩教育B站视频完成制作!!!
K8S安装说明:
二进制安装(生产首选,新手推荐)
kubeadmin安装:简单但是新手不推荐,出现问题不易排错。
实验环境:
环境说明:
etcd至少3台组成一个高可用集群
两台proxy组成高可用代理对外提供VIP
两台机器共同承担master和node节点功能
运维主机非K8S套件,但为K8S服务
部署准备:
安装部署bind9,部署自建DNS系统
准备自签证书环境
安装部署docker和harbor仓库(harbor仓库:Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。)
主机列表
| 主机名 | IP地址 | 用途 |
| hdss7-11 | 10.4.7.11 | proxy1 |
| hdss7-12 | 10.4.7.12 | proxy2 |
| hdss7-21 | 10.4.7.21 | master1 |
| hdss7-22 | 10.4.7.22 | master2 |
| hdss7-200 | 10.4.7.200 | 运维主机 |
基本软件部署
yum install wget net-tools telnet tree nmap sysstat lrzsz dos2unix -yIP部署,其余几台相似,略
[root@hdss7-200 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
DEVICE=ens33
ONBOOT=yes
IPADDR=10.4.7.200
NETMASK=255.255.255.0
GATEWAY=10.4.7.254 #此为虚拟网卡NAT模式的网关
DNS1=10.4.7.254
- 部署DNS服务BIND9,hdss7-11
安装DNS服务
[root@hdss7-11 ~]# yum -y install bind bind-utils -y修改配置文件/etc/named.conf
[root@hdss7-11 ~]# vim /etc/named.conf
listen-on port 53 { 10.4.7.11; };
allow-query { any; };
forwarders { 10.4.7.254; }; #上行DNS地址(网关或公网DNS)
recursion yes;
dnssec-enable no;
dnssec-validation no创建区域配置
[root@hdss7-11 ~]# cat >>/etc/named.rfc1912.zones <<'EOF'
> # 添加自定义主机域
> zone "host.com" IN {
> type master;
> file "host.com.zone";
> allow-update { 10.4.7.11; };
> };
> # 添加自定义业务域
> zone "zq.com" IN {
> type master;
> file "zq.com.zone";
> allow-update { 10.4.7.11; };
> };
> EOF
为区域配置创建数据文件
[root@hdss7-11 ~]# cat /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.host.com. dnsadmin.host.com. (
2020110901 ; serial #每修改一次加一,和业务域保持一致
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
HDSS7-11 A 10.4.7.11
HDSS7-12 A 10.4.7.12
HDSS7-21 A 10.4.7.21
HDSS7-22 A 10.4.7.22
HDSS7-200 A 10.4.7.200
[root@hdss7-11 ~]# cat /var/named/zq.com.zone
$ORIGIN zq.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.zq.com. dnsadmin.zq.com. (
2020110901 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.zq.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
host.com域用于主机之间通信,所以要先增加上所有主机
zq.com域用于后面的业务解析用,因此不需要先添加主机
启动DNS服务并验证
[root@hdss7-11 ~]# named-checkconf #检查语法
[root@hdss7-11 ~]# systemctl start named
[root@hdss7-11 ~]# ss -lntup | grep 53
udp UNCONN 0 0 10.4.7.11:53 *:* users:(("named",pid=16136,fd=512))
tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",pid=16136,fd=22))
tcp LISTEN 0 10 10.4.7.11:53 *:* users:(("named",pid=16136,fd=21))
tcp LISTEN 0 128 [::1]:953 [::]:* users:(("named",pid=16136,fd=23))
[root@hdss7-11 ~]# dig -t A hdss7-12.host.com @10.4.7.11 +short
10.4.7.12
[root@hdss7-11 ~]# dig -t A hdss7-21.host.com @10.4.7.11 +short
10.4.7.212.所有主机修改网络配置
[root@hdss7-11 ~]# sed -i 's#^DNS.*#DNS1=10.4.7.11#g' /etc/sysconfig/network-scripts/ifcfg-ens33 #修改DNS,查看DNS配置文件,在较高版本系统,会自动讲域名添加到resolv.conf文件中
[root@hdss7-11 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search host.com
nameserver 10.4.7.254
systemctl restart network宿主机也修改虚拟网卡8的DNS配置并验证
验证;
3.自签发证书环境准备 hdss7-200
下载安装cfssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
chmod +x /usr/bin/cfssl*生产CA证书文件
[root@hdss7-200 ~]# mkdir /opt/certs
[root@hdss7-200 ~]# cat >/opt/certs/ca-csr.json <<EOF
> {
> "CN": "zqcd",
> "hosts": [
> ],
> "key": {
> "algo": "rsa",
> "size": 2048
> },
> "names": [
> {
> "C": "CN",
> "ST": "chengdu",
> "L": "chengdu",
> "O": "zq",
> "OU": "ops"
> }
> ],
> "ca": {
> "expiry": "175200h"
> }
> }
>
> EOF
CN: Common Name,浏览器使用该字段验证网站是否合法,一般写的是域名。非常重要。浏览器使用该字段验证网站是否合法
C: Country, 国家
ST: State,州,省
L: Locality,地区,城市
O: Organization Name,组织名称,公司名称
OU: Organization Unit Name,组织单位名称,公司部门
生成CA证书
[root@hdss7-200 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
2020/11/09 19:10:25 [INFO] generating a new CA key and certificate from CSR
2020/11/09 19:10:25 [INFO] generate received request
2020/11/09 19:10:25 [INFO] received CSR
2020/11/09 19:10:25 [INFO] generating key: rsa-2048
2020/11/09 19:10:25 [INFO] encoded CSR
2020/11/09 19:10:25 [INFO] signed certificate with serial number 369197204434672420629739344504434551625455263077
[root@hdss7-200 certs]# ll
总用量 16
-rw-r--r-- 1 root root 989 11月 9 19:10 ca.csr
-rw-r--r-- 1 root root 324 11月 9 18:56 ca-csr.json
-rw------- 1 root root 1675 11月 9 19:10 ca-key.pem
-rw-r--r-- 1 root root 1330 11月 9 19:10 ca.pem
4.docker环境准备 hdss7-21 hdss7-22 hdss7-200
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
mkdir /etc/docker/
cat >/etc/docker/daemon.json <<EOF
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.zq.com"],
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
"bip": "172.7.21.1/24", #要根据主机的变化而变化
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
EOF注意:bip要根据宿主机ip变化
hdss7-21.host.com bip 172.7.21.1/24
hdss7-22.host.com bip 172.7.22.1/24
hdss7-200.host.com bip 172.7.200.1/24
启动docker
mkdir -p /data/docker
systemctl start docker
systemctl enable docker
docker --version
Docker version 19.03.13, build 4484c46d9d5.部署harbor私有仓库 hdss7-200
harbor下载地址:https://github.com/goharbor/harbor/releases/download/v1.8.5/harbor-offline-installer-v1.8.5.tgz
tar xf harbor-offline-installer-v1.8.5.tgz -C /opt/
cd /opt/
mv harbor/ harbor-v1.8.5
ln -s /opt/harbor-v1.8.5/ /opt/harbor #修改名称,做软连接方便日后升级编辑配置文件
[root@hdss7-200 opt]# vi /opt/harbor/harbor.yml
# 以下是修改项,手动在配置文件中更改,修改如下几项即可
hostname: harbor.zq.com
http:
port: 180
harbor_admin_password:Harbor12345
data_volume: /data/harbor
log:
level: info
rotate_count: 50
rotate_size:200M
location: /data/harbor/logs
[root@hdss7-200 opt]# mkdir -p /data/harbor/logs使用docker-compose启动harbor
[root@hdss7-200 opt]cd /opt/harbor/
yum install docker-compose -y
sh /opt/harbor/install.sh
docker-compose ps
Name Command State Ports
--------------------------------------------------------------------------------------
harbor-core /harbor/start.sh Up
harbor-db /entrypoint.sh postgres Up 5432/tcp
harbor-jobservice /harbor/start.sh Up
harbor-log /bin/sh -c /usr/local/bin/ ... Up 127.0.0.1:1514->10514/tcp
harbor-portal nginx -g daemon off; Up 80/tcp
nginx nginx -g daemon off; Up 0.0.0.0:180->80/tcp
redis docker-entrypoint.sh redis ... Up 6379/tcp
registry /entrypoint.sh /etc/regist ... Up 5000/tcp
registryctl /harbor/start.sh Up
docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
89454ab914da goharbor/nginx-photon:v1.8.5 "nginx -g 'daemon of…" 19 seconds ago Up 18 seconds (health: starting) 0.0.0.0:180->80/tcp nginx
cefa08ad3748 goharbor/harbor-jobservice:v1.8.5 "/harbor/start.sh" 20 seconds ago Up 19 seconds harbor-jobservice
cf235d2144a5 goharbor/harbor-portal:v1.8.5 "nginx -g 'daemon of…" 20 seconds ago Up 19 seconds (health: starting) 80/tcp harbor-portal
4cde8c48c37a goharbor/harbor-core:v1.8.5 "/harbor/start.sh" 21 seconds ago Up 20 seconds (health: starting) harbor-core
829f4e0ddf14 goharbor/harbor-db:v1.8.5 "/entrypoint.sh post…" 22 seconds ago Up 20 seconds (health: starting) 5432/tcp harbor-db
7c93b2cd9f23 goharbor/redis-photon:v1.8.5 "docker-entrypoint.s…" 22 seconds ago Up 20 seconds 6379/tcp redis
69480549309e goharbor/registry-photon:v2.7.1-patch-2819-v1.8.5 "/entrypoint.sh /etc…" 22 seconds ago Up 20 seconds (health: starting) 5000/tcp registry
3f61d0e0e38d goharbor/harbor-registryctl:v1.8.5 "/harbor/start.sh" 22 seconds ago Up 21 seconds (health: starting) registryctl
0502687656ca goharbor/harbor-log:v1.8.5 "/bin/sh -c /usr/loc…" 22 seconds ago Up 22 seconds (health: starting) 127.0.0.1:1514->10514/tcp harbor-log使用dns解析harbor hdss7-11
[root@hdss7-11 ~]# vi /var/named/zq.com.zone
$ORIGIN zq.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.zq.com. dnsadmin.zq.com. (
2020110902 ; serial ##每次修改DNS解析后,都要滚动此ID,host.com.zone也要修改
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.zq.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
harbor A 10.4.7.200
[root@hdss7-11 ~]# systemctl restart named
[root@hdss7-11 ~]# dig -t A harbor.zq.com +short
10.4.7.200
使用nginx反向代理harbor hdss7-200
[root@hdss7-200 harbor]# yum install nginx -y
[root@hdss7-200 harbor]# vi /etc/nginx/conf.d/harbor.zq.com.conf
server {
listen 80;
server_name harbor.zq.com;
client_max_body_size 1000m;
location / {
proxy_pass http://127.0.0.1:180;
}
}
[root@hdss7-200 harbor]# nginx -t
[root@hdss7-200 harbor]# systemctl start nginx
[root@hdss7-200 harbor]# systemctl enable nginx浏览器输入:harbor.zq.com
用户名:admin 密码:Harbor12345
新建项目:public 访问级别:公开
准备pauser/nginx基础镜像上传到私有仓库
[root@hdss7-200 opt]# docker login harbor.zq.com -uadmin -pHarbor12345 #首先登录到我们的私有仓库
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@hdss7-200 opt]# docker pull kubernetes/pause #pull镜像,管理pod用
Using default tag: latest
latest: Pulling from kubernetes/pause
4f4fb700ef54: Pull complete
b9c8ec465f6b: Pull complete
Digest: sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105
Status: Downloaded newer image for kubernetes/pause:latest
docker.io/kubernetes/pause:latest
[root@hdss7-200 opt]# docker pull nginx:1.17.9 #做测试用
1.17.9: Pulling from library/nginx
123275d6e508: Pull complete
9a5d769f04f8: Pull complete
faad4f49180d: Pull complete
Digest: sha256:88ea86df324b03b3205cbf4ca0d999143656d0a3394675630e55e49044d38b50
Status: Downloaded newer image for nginx:1.17.9
docker.io/library/nginx:1.17.9
[root@hdss7-200 opt]# docker tag kubernetes/pause:latest harbor.zq.com/public/pause:latest #打标签
[root@hdss7-200 opt]# docker tag nginx:1.17.9 harbor.zq.com/public/nginx:v1.17.9
[root@hdss7-200 opt]# docker push harbor.zq.com/public/pause:latest #上传到私有仓库
The push refers to repository [harbor.zq.com/public/pause]
5f70bf18a086: Pushed
e16a89738269: Pushed
latest: digest: sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105 size: 938
[root@hdss7-200 opt]# docker push harbor.zq.com/public/nginx:v1.17.9
The push refers to repository [harbor.zq.com/public/nginx]
351816b95c49: Pushed
0e07021aa61a: Pushed
b60e5c3bcef2: Pushed
v1.17.9: digest: sha256:30d9dde0c4cb5ab4989a92bc2c235b995dfa88ff86c09232f309b6ad27f1c7cd size: 948
[root@hdss7-200 opt]#
来到私有仓库查看
499
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
