作者设置:由于当前各个常用镜像站无法正常代理下载镜像,这篇实验中所用到的镜像建议先从网络下载获取再导入到私仓使用,
或私信后台回复:9521 获取~ ~
另外这份实验材料总结下来出奇的字数多,提示超出字数,所以这篇分为了3章来发布
目录描述
-
Kubernetes高可用集群部署架构要求说明
-
Kubeadm部署Kubernetes v1.25.0高可用集群(一部分)
-
Kubeadm部署Kubernetes v1.25.0高可用集群(二部分)
-
Kubeadm部署Kubernetes v1.25.0高可用集群(完结)
8. 在第一个 master 节点初始化 Kubernetes 集群
kubeadm init 命令参考说明
--kubernetes-version:#kubernetes程序组件的版本号,它必须要与安装的kubelet程序包的版本号相同
--control-plane-endpoint:#多主节点必选项,用于指定控制平面的固定访问地址,可是IP地址或DNS名称,会被用于集群管理员及集群组件的kubeconfig配置文件的API Server的访问地址,如果是单主节点的控制平面部署时不使用该选项,注意:kubeadm 不支持将没有 --control-plane-endpoint 参数的单个控制平面集群转换为高可用性集群。
--pod-network-cidr:#Pod网络的地址范围,其值为CIDR格式的网络地址,通常情况下Flannel网络插件的默认为10.244.0.0/16,Calico网络插件的默认值为192.168.0.0/16
--service-cidr:#Service的网络地址范围,其值为CIDR格式的网络地址,默认为10.96.0.0/12;常,仅Flannel一类的网络插件需要手动指定该地址
--service-dns-domain string #指定k8s集群域名,默认为cluster.local,会自动通过相应的DNS服务实现解析
--apiserver-advertise-address:#API 服务器所公布的其正在监听的 IP 地址。如果未设置,则使用默认网络接口。apiserver通告给其他组件的IP地址,一般应该为Master节点的用于集群内部通信的IP地址,0.0.0.0表示此节点上所有可用地址,非必选项
--image-repository string #设置镜像仓库地址,默认为 k8s.gcr.io,此地址国内可能无法访问,可以指向国内的镜像地址
--token-ttl #共享令牌(token)的过期时长,默认为24小时,0表示永不过期;为防止不安全存储等原因导致的令牌泄露危及集群安全,建议为其设定过期时长。未设定该选项时,在token过期后,若期望再向集群中加入其它节点,可以使用如下命令重新创建token,并生成节点加入命令。kubeadm token create --print-join-command
--ignore-preflight-errors=Swap” #若各节点未禁用Swap设备,还需附加选项“从而让kubeadm忽略该错误
--upload-certs #将控制平面证书上传到 kubeadm-certs Secret
--cri-socket #v1.24版之后指定连接cri的socket文件路径,注意;不同的CRI连接文件不同
#如果是cRI是containerd,则使用--cri-socket unix:///run/containerd/containerd.sock
#如果是cRI是docker,则使用--cri-socket unix:///var/run/cri-dockerd.sock
#如果是CRI是CRI-o,则使用--cri-socket unix:///var/run/crio/crio.sock
#注意:CRI-o与containerd的容器管理机制不一样,所以镜像文件不能通用。
在第一个 master 节点初始化集群
root@master1ha1:~# kubeadm init --control-plane-endpoint="vip" --kubernetes-version=v1.25.0 --pod-network-cidr=10.244.0.0/16 --service-cidr=10.96.0.0/12 --token-ttl=0 --cri-socket unix:///run/cri-dockerd.sock --image-repository registry.aliyuncs.com/google_containers --upload-certs
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of the control-plane node running the following command on each as root:
kubeadm join vip:6443 --token j4egyy.1a21ssudorgo8d3k \
--discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17 \
--control-plane --certificate-key 5c2740a120bd93bd1fbcc61a1ca9878ec1ef3436b3277bf91edc5d11fccb3f7c
Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join vip:6443 --token j4egyy.1a21ssudorgo8d3k \
--discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17
如果想重新初始化,可以执行下面
#如果有工作节点,先在工作节点执行,再在control节点执行下面操作
kubeadm reset -f --cri-socket unix:///run/cri-dockerd.sock
rm -rf /etc/cni/net.d/ $HOME/.kube/config
reboot
9. 在第一个master节点生成kubectl命令的授权文件
kubectl是kube-apiserver的命令行客户端程序,实现了除系统部署之外的几乎全部的管理操作,是kubernetes管理员使用最多的命令之一。kubectl需经由API server认证及授权后方能执行相应的管理操作,kubeadm部署的集群为其生成了一个具有管理员权限的认证配置文件/etc/kubernetes/admin.conf,它可由kubectl通过默认的“$HOME/.kube/config”的路径进行加载。当然,用户也可在kubectl命令上使用--kubeconfig选项指定一个别的位置。
下面复制认证为Kubernetes系统管理员的配置文件至目标用户(例如当前用户root)的家目录下:
#可复制8步骤初始化完成的结果执行下面命令
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
10. 实现 kubectl 命令补全
kubectl 命令功能丰富,默认不支持命令补会,可以用下面方式实现
kubectl completion bash > /etc/profile.d/kubectl_completion.sh
. /etc/profile.d/kubectl_completion.sh
11. 在第一个 master 节点配置网络组件
Kubernetes系统上Pod网络的实现依赖于第三方插件进行,这类插件有近数十种之多,较为著名的有flannel、calico、canal和kube-router等,简单易用的实现是为CoreOS提供的flannel项目。下面的命令用于在线部署flannel至Kubernetes系统之上
首先,下载适配系统及硬件平台环境的flanneld至每个节点,并放置于/opt/bin/目录下。(这句话没理解?!)
我们这里选用flanneld-amd64,版本为v0.20.1,因而,我们需要在集群的每个节点上执行如下命令:
提示:下载flanneld的地址为 https://github.com/flannel-io/flannel/releases
#节点加入集群后,节点信息为NotReady,各主机节点及容器暂无法进行相互连接通信,因为默认没有网络插件还需要安装网络插件集群才能正常通信
root@master1ha1:~# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master1ha1 NotReady control-plane 41m v1.25.0
#flannel部署方法一:
root@master1ha1:~# curl -LO https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml
root@master1ha1:~# kubectl apply -f kube-flannel.yml
#flannel部署方法二:
#https://raw.githubusercontent.com/网站在国内无法访问,没有科技上网的同学看这里
#可以去https://github.com/coreos/flannel/releases官方仓库,下载flannel导入到docker中
root@master1ha1:~# docker load < flanneld-v0.20.1-amd64.docker
7df5bd7bd262: Loading layer [==================================================>] 5.904MB/5.904MB
d9d153cdaf1f: Loading layer [==================================================>] 12.39MB/12.39MB
40b9707e1723: Loading layer [==================================================>] 2.743MB/2.743MB
5f0bea3b3211: Loading layer [==================================================>] 39.36MB/39.36MB
597dd779670d: Loading layer [==================================================>] 5.632kB/5.632kB
c58e46b8b3ff: Loading layer [==================================================>] 9.728kB/9.728kB
b35dfde5fcb3: Loading layer [==================================================>] 8.704kB/8.704kB
Loaded image: quay.io/coreos/flannel:v0.20.1-amd64
#获取一个kube-flannel.yml文件
curl -LO https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml
#把kube-flannel.yml里的image改成本地镜像,主要有三块,下面有贴图,详看
#最后就可以apply了,这里我把kube-flannel.yml名字改成kube-flannel-v0.20.1.yml了
root@master1ha1:~# kubectl apply -f kube-flannel-v0.20.1.yml
namespace/kube-flannel created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.apps/kube-flannel-ds created
root@master1ha1:~# kubectl get pod -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-flannel kube-flannel-ds-794hb 1/1 Running 0 73s
kube-system coredns-c676cc86f-k9hm2 1/1 Running 0 24h
kube-system coredns-c676cc86f-wgjdp 1/1 Running 0 24h
kube-system etcd-master1ha1 1/1 Running 3 (14h ago) 24h
kube-system kube-apiserver-master1ha1 1/1 Running 3 (24m ago) 24h
kube-system kube-controller-manager-master1ha1 1/1 Running 3 (14h ago) 24h
kube-system kube-proxy-pkt88 1/1 Running 3 (14h ago) 24h
kube-system kube-scheduler-master1ha1 1/1 Running 4 (14h ago) 24h
root@master1ha1:~# kubectl describe pod kube-flannel-ds-794hb -n kube-flannel
image: m.daocloud.io/docker.io/flannel/flannel-cni-plugin:v1.1.0
#上面表示运行正常了,稍等一会儿,可以看到节点状态Ready
root@master1ha1:~# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master1ha1 Ready control-plane 24h v1.25.0
#注意:如果已经下载了部分插件,那么就得执行下删除命令,删除后,再重新下载
#卸载finnel插件命令
#第一步,在节点删除flannel
kubectl delete -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
#第二步,在node节点清理flannel网络留下的文件
ifconfig cni0 down
ip link delete cni0
ifconfig flannel.1 down
ip link delete flannel.1
rm -rf /var/lib/cni/
rm -f /etc/cni/net.d/*
#注:执行完上面的操作,重启kubelet
systemctl restart kubelet
这部分吐槽:flannel在安装这块真不如Calico方便,前面有文章发,有兴趣的可以翻一下
12. 将所有 node节点加入Kubernetes集群
在所有node节点执行下面操作,加上集群
#在 master1 上查看加入节点的命令
root@master1ha1:~# kubeadm token create --print-join-command
kubeadm join vip:6443 --token hb7wgu.278gisn7n9fx18d4 --discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17
#上述命令额外添加--cri-socket选项,在所有的node节点执行
root@node1:~# kubeadm join vip:6443 --token hb7wgu.278gisn7n9fx18d4 --discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17 --cri-socket unix:///run/cri-dockerd.sock
回显如下表示加入集群成功,可以在master节点查询状态
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
#在master节点查询node节点状态
root@master1ha1:~# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master1ha1 Ready control-plane 5d8h v1.25.0
node1 Ready <none> 4d2h v1.25.0
node2 Ready <none> 53s v1.25.0
13. 测试应用编排及服务访问
至此1个master附带有2个node的kubernetes集群基础设施已经部署完成,随后即可测试其核心功能。这样以demoapp演示,它是一个web应用,可将demoapp以Pod的形式编排运行于集群之上,并通过在集群外部进行访问:
#创建一个yaml配置,下面是说明
root@master1ha1:~# vim demoapp-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: demoapp
spec:
replicas: 2
selector:
matchLabels:
app: demoapp
template:
metadata:
labels:
app: demoapp
spec:
containers:
- name: demoapp
image: registry.cn-hangzhou.aliyuncs.com/guang_demo/qwer:ik8s-demoappv1.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
#生成pod
root@master1ha1:~# kubectl apply -f demoapp-deployment.yaml
deployment.apps/demoapp created
#查看2个pod已经均衡到2个noed上,并且运行
root@master1ha1:~# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
demoapp-75586749f8-pmbhf 1/1 Running 0 3m52s 10.244.1.31 node1 <none> <none>
demoapp-75586749f8-wlhkt 1/1 Running 0 3m52s 10.244.2.26 node2 <none> <none>
#测试访问2个pod
root@master1ha1:~# curl 10.244.1.31
iKubernetes demoapp v1.0 !! ClientIP: 10.244.1.1, ServerName: demoapp-75586749f8-pmbhf, ServerIP: 10.244.1.31!
root@master1ha1:~# curl 10.244.1.26
iKubernetes demoapp v1.0 !! ClientIP: 10.244.1.1, ServerName: demoapp-75586749f8-wlhkt, ServerIP: 10.244.1.26!
#使用如下命令了解Service对象demoapp使用的NodePort,格式:<集群端口>:<POd端口>,以便于在集群外部进行访问
root@master1ha1:~# kubectl create service nodeport demoapp --tcp=80:80
root@master1ha1:~# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
demoapp NodePort 10.105.4.244 <none> 80:32590/TCP 13s
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 21d
root@master1ha1:~# curl 10.105.4.244
iKubernetes demoapp v1.0 !! ClientIP: 10.244.1.1, ServerName: ddemoapp-75586749f8-wlhkt, ServerIP: 10.244.1.26!
root@master1ha1:~# curl 10.105.4.244
iKubernetes demoapp v1.0 !! ClientIP: 10.244.1.1, ServerName: demoapp-75586749f8-pmbhf, ServerIP: 10.244.1.31!
#用户可以于集群外部通过“http://NodeIP:32590”这个URL访问demoapp上的应用,例如于集群外通过浏览器访问“http://<kubernetes-node>:32590”。
root@master1ha1:~# curl 192.168.157.100:32590
iKubernetes demoapp v1.0 !! ClientIP: 10.244.1.1, ServerName: ddemoapp-75586749f8-wlhkt, ServerIP: 10.244.1.26!
root@master1ha1:~# curl 192.168.157.100:32590
iKubernetes demoapp v1.0 !! ClientIP: 10.244.1.1, ServerName: demoapp-75586749f8-pmbhf, ServerIP: 10.244.1.31!
#1、pod的扩容(这里只记录命令,比较简单)
root@master1ha1:~# vim demoapp-deployment.yaml
spec:
replicas: 4 把replicas参数值,由 2 往上加到 4 ,就代表由 2 pod 扩容到 4 个pod
root@master1ha1:~# kubectl apply -f demoapp-deployment.yaml
deployment.apps/demoapp created
root@master1ha1:~# kubectl get pod -o wide #可以看到有新的pod开始准备中
#2、pod的缩容(这里只记录命令,比较简单)
root@master1ha1:~# vim demoapp-deployment.yaml
spec:
replicas: 1 把replicas参数值,由 4 往下减到 1 ,就代表由 4 pod 缩容到 1 个pod
root@master1ha1:~# kubectl apply -f demoapp-deployment.yaml
deployment.apps/demoapp created
root@master1ha1:~# kubectl get pod -o wide #可以看到销毁pod的过程
root@master1ha1:~# kubectl get pod -o wide #再次查看,最终缩容成功,剩余1个pod
14. 将剩余2个master节点加入Kubernetes集群
将 剩余2个master节点加入Kubernetes集群,来扩展Kubernetes集群为多主模式
#在 master1 上查看加入节点的命令
root@master1ha1:~# kubeadm token create --print-join-command
kubeadm join vip:6443 --token eeyg8g.1wydhq9vtcvdhx9r --discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17
#上述命令额外添加--cri-socket选项,在待加入的2个节点执行
root@master2ha2:~# kubeadm join vip:6443 --token eeyg8g.1wydhq9vtcvdhx9r --discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17 --cri-socket unix:///run/cri-dockerd.sock
root@master3harbor1:~# kubeadm join vip:6443 --token eeyg8g.1wydhq9vtcvdhx9r --discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17 --cri-socket unix:///run/cri-dockerd.sock
回显如下表示加入集群成功,可以在master首节点查询状态
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
#在master2和master3节点上执行
cd /root && mkdir -p /etc/kubernetes/pki/etcd &&mkdir –p ~/.kube/
#把 master1 节点的证书拷贝到 master2和master3上:
for i in {102..103};do scp /etc/kubernetes/pki/ca.crt 192.168.157.$i:/etc/kubernetes/pki/ ; scp /etc/kubernetes/pki/ca.key 192.168.157.$i:/etc/kubernetes/pki/ ; scp /etc/kubernetes/pki/sa.key 192.168.157.$i:/etc/kubernetes/pki/ ; scp /etc/kubernetes/pki/sa.pub 192.168.157.$i:/etc/kubernetes/pki/ ; scp /etc/kubernetes/pki/front-proxy-ca.crt 192.168.157.$i:/etc/kubernetes/pki/ ; scp /etc/kubernetes/pki/front-proxy-ca.key 192.168.157.$i:/etc/kubernetes/pki/ ; scp /etc/kubernetes/pki/etcd/ca.crt 192.168.157.$i:/etc/kubernetes/pki/etcd/ ; scp /etc/kubernetes/pki/etcd/ca.key 192.168.157.$i:/etc/kubernetes/pki/etcd/ ; done
#在master节点查询node,可以看到已加入
root@master1ha1:~# kubectl get nodes
master1ha1 Ready control-plane 21d v1.25.0
master2ha2 Ready <none> 2m20s v1.25.0
master3harbor1 Ready <none> 2m19s v1.25.0
node1 Ready <none> 20d v1.25.0
node2 NotReady <none> 15d v1.25.0 #内存不够了,把node2先关机了
最后:
挺无语的,这次1.25版本的搭建,没有想象中那么顺利!!
最后~欢迎关注我! @Linux学习的那些事儿
我的个人资源整理,满满都是干货: → 可按需访问领取
如果本文对你有帮助,欢迎点赞、收藏、转发给朋友,让我有持续创作的动力!
362
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
