本文档详细介绍了如何使用kubeadm在CentOS7系统上搭建Kubernetes 1.10版本的集群。内容包括前提条件、搭建步骤,以及最后确认集群可用性的过程。该教程适用于个人学习和研究,不适合直接用于生产环境,因为搭建的集群不具备高级安全性和可用性。
Kubernetes,简称 k8s(k,8 个字符,s——明白了?)或者 “kube”,是一个开源的 Linux 容器自动化运维平台,它消除了容器化应用程序在部署、伸缩时涉及到的许多手动操作。换句话说,你可以将多台主机组合成集群来运行 Linux 容器,而 Kubernetes 可以帮助你简单高效地管理那些集群。构成这些集群的主机还可以跨越公有云、私有云以及混合云。目前已经是容器编排的标准,背后主要有google和红帽支持。
kubeadm是Kubernetes官方提供的快速搭建k8s集群的工具,比目前网上使用其他方法搭建要简单快速的多,而且碰都的问题也少。如果大家按照本文操作出现任何问题,请留言,我会尽量及时回复。本文主要是参考的Kubernetes官方文档Using kubeadm to Create a Cluster。按照本文搭建的集群不够安全,也做不到高可用,仅建议个人学习研究用途,不建议部署至生产环境。
前提条件
- 2台以上安装了centos7 x64的服务器,可以是物理机,虚拟机或者vps。其中一台作为master节点,其他的作为node节点。
- 每台机器至少2g内存,作为master的服务器至少要2个核。
- 所有服务器之间的网络是互通的,hostname不能相同,并且不含有下划线。
- 服务器是在墙外的,因为搭建的过程中要下载的一些文件,墙内可能会很慢或者根本下载不了,这意味着使用国内的阿里云,腾讯云之类的vps搭建会很麻烦。如果还没有墙外的服务器,可以去看下vultr,我用的就是这个,性价比比较高,也很稳定, 推荐使用东京或美国西部的节点,连接比较快,有时ip会ping不通,应该是被墙了,在其他区域再创建一个再试就ok了。
- 会用ssh连接服务器,并能执行简单的命令,以及编辑保存文件。下文的命令有些可能需要root权限,如果提示没有权限,在命令行前面加sudo再执行一次。
搭建步骤
第1-6步是每台服务器都需要的。
- 升级系统,在命令行运行
yum update -y
2. 关闭防火墙,swap,因为k8s需要运行多个服务在不同的服务器上通讯,需要开放多个端口,简单起见,直接把防火墙关了,不推荐在生产环境这么做。关掉swap,k8s的组件kebelet才可以正常工作。
systemctl disable firewalld
systemctl stop firewalld
swapoff -a 3.安装docker
yum install -y docker
systemctl enable docker && systemctl start docker
4.安装kubeadm,kubelet,kubectl
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
setenforce 0
yum install -y kubelet kubeadm kubectl
systemctl enable kubelet && systemctl start kubelet
5.关闭selinux,因为
kubelet目前支持selinux还有点问题
setenforce 0
打开/etc/sysconfig/selinux文件
vi /etc/sysconfig/selinux
找到
SELINUX那行,改为
SELINUX=disabled
保存文件
6.设置net.bridge.bridge-nf-call-iptables为1
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
7.初始化master,在master的节点上运行
kubeadm init --pod-network-cidr=192.168.0.0/16[init] Using Kubernetes version: v1.8.0
[init] Using Authorization modes: [Node RBAC]
[preflight] Running pre-flight checks
[kubeadm] WARNING: starting in 1.8, tokens expire after 24 hours by default (if you require a non-expiring token use --token-ttl 0)
[certificates] Generated ca certificate and key.
[certificates] Generated apiserver certificate and key.
[certificates] apiserver serving cert is signed for DNS names [kubeadm-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 10.138.0.4]
[certificates] Generated apiserver-kubelet-client certificate and key.
[certificates] Generated sa key and public key.
[certificates] Generated front-proxy-ca certificate and key.
[certificates] Generated front-proxy-client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "scheduler.conf"
[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml"
[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"
[init] Waiting for the kubelet to boot up the control plane as Static Pods from directory "/etc/kubernetes/manifests"
[init] This often takes around a minute; or longer if the control plane images have to be pulled.
[apiclient] All control plane components are healthy after 39.511972 seconds
[uploadconfig] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[markmaster] Will mark node master as master by adding a label and a taint
[markmaster] Master master tainted and labelled with key/value: node-role.kubernetes.io/master=""
[bootstraptoken] Using token: <token>
[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstraptoken] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: kube-dns
[addons] Applied essential addon: kube-proxy
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run (as a regular user):
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
http://kubernetes.io/docs/admin/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join --token <token> <master-ip>:<master-port> --discovery-token-ca-cert-hash sha256:<hash>
把上面输出的最后一行 kubeadm join复制保存下来,后面在node节点加入到集群中需要用到
运行下面的命令初始化kebectl配置文件
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
8.安装网络插件,以使pod能相互通讯,这里我们安装的是Calico.在master节点运行
kubectl apply -f https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml运行以下命令检查kube-dns pod 已经运行,一般需要几十秒
kubectl get pods --all-namespaces[root@kube-master ~]# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-etcd-dfpnn 1/1 Running 0 13h
kube-system calico-kube-controllers-5449fdfcd-z8n45 1/1 Running 0 13h
kube-system calico-node-8jmzt 2/2 Running 0 13h
kube-system calico-node-b4x99 2/2 Running 0 13h
kube-system etcd-kube-master 1/1 Running 0 13h
kube-system kube-apiserver-kube-master 1/1 Running 0 13h
kube-system kube-controller-manager-kube-master 1/1 Running 0 13h
kube-system kube-dns-86f4d74b45-v6qr5 3/3 Running 0 14h
kube-system kube-proxy-8nl2w 1/1 Running 0 13h
kube-system kube-proxy-klnjb 1/1 Running 0 14h
kube-system kube-scheduler-kube-master 1/1 Running 0 13h
9.使pod能运行在master上,在master运行如下命令。否则k8s不会调度非系统pod到master节点上
kubectl taint nodes --all node-role.kubernetes.io/master-
10.kube-dns运行后加入node节点,在node节点运行第7步保存的kubeadm join,类似下面的语句。
kubeadm join --token <token> <master-ip>:<master-port> --discovery-token-ca-cert-hash sha256:<hash>
如果成功,输出类似下面
[preflight] Running pre-flight checks
[discovery] Trying to connect to API Server "10.138.0.4:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.138.0.4:6443"
[discovery] Requesting info from "https://10.138.0.4:6443" again to validate TLS against the pinned public key
[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "10.138.0.4:6443"
[discovery] Successfully established connection with API Server "10.138.0.4:6443"
[bootstrap] Detected server version: v1.8.0
[bootstrap] The server supports the Certificates API (certificates.k8s.io/v1beta1)
[csr] Created API client to obtain unique certificate for this node, generating keys and certificate signing request
[csr] Received signed certificate from the API server, generating KubeConfig...
Node join complete:
* Certificate signing request sent to master and response
received.
* Kubelet informed of new secure connection details.
Run 'kubectl get nodes' on the master to see this machine join.
11.验证node成功加入集群,
在master命令行运行
kubectl get node
如果集群正常运行,输出类似
NAME STATUS ROLES AGE VERSION
kube-master Ready master 1h v1.10.0
kube-node Ready <none> 2m v1.10.0
扫一扫
216
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
