使用K3S部署集群
机器准备,服务器要求
一台master节点,一台node节点,多node一样的逻辑
主机名 | IP | OS | 配置 |
---|---|---|---|
k8s1 | 192.168.0.91 | ubuntu 20.04 | 2 CPUs, 4G |
k8s2 | 192.168.0.131 | ubuntu 20.04 | 2 CPUs, 4G |
…… |
设置主机名称
192.168.0.91上执行
# 设置master节点主机名
$ sudo hostnamectl set-hostname --static k8s1
192.168.0.131上执行
# 设置master节点主机名
$ sudo hostnamectl set-hostname --static k8s2
所有节点上添加hosts
$ sudo vi /etc/hosts
192.168.0.91 k8s1
192.168.0.131 k8s2
安装 docker.io
所有节点上(k8s1,k8s2)安装docker-io:
$ sudo apt-get update
$ sudo apt-get install -y docker.io
在K8S1服务器安装K3S,文档
- 安装
# 安装K3S
$ curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn sh -
# 查看安装情况
$ sudo kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system local-path-provisioner-79f67d76f8-ljndn 1/1 Running 0 5m46s
kube-system helm-install-traefik-crd-2ns4h 0/1 Completed 0 5m46s
kube-system coredns-597584b69b-rrwjw 1/1 Running 0 5m46s
kube-system helm-install-traefik-6cvl5 0/1 Completed 1 5m46s
kube-system svclb-traefik-dee7d17f-q5bq2 2/2 Running 0 5m15s
kube-system traefik-66c46d954f-cw984 1/1 Running 0 5m15s
kube-system metrics-server-5f9f776df5-jpj9n 1/1 Running 0 5m46s
# 查看节点情况,未加入agent节点时
$ sudo kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s1 Ready control-plane,master 35m v1.25.7+k3s1
- 获取TOKEN,后边k8s2中Agent节点加入集群时用到
$ sudo cat /var/lib/rancher/k3s/server/token
K10607a51dd652d6833d8bf0d54b62ffc1f763986a5f39f94240a32646c0ea1a271::server:299b2750ef830e50a5155adbe6a94e84
在K8S2服务器安装K3S,文档-注意Agent部分
安装
$ curl -sfL https://rancher-mirror.rancher.cn/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn K3S_URL=https://k8s1:6443 K3S_TOKEN=K10607a51dd652d6833d8bf0d54b62ffc1f763986a5f39f94240a32646c0ea1a271::server:299b2750ef830e50a5155adbe6a94e84 sh -
参数说明:
- K3S_URL: 集群主节点地址
k8s1
- K3S_TOKEN: 上文获取的主节点(
k8s1
)token
信息
在k8s1服务器执行,可以看到Agent节点已经加入
$ sudo kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s2 Ready <none> 8m34s v1.25.7+k3s1
k8s1 Ready control-plane,master 62m v1.25.7+k3s1
安装Kubernetes Dashboard,文档
- 配置
$ GITHUB_URL=https://github.com/kubernetes/dashboard/releases
$ VERSION_KUBE_DASHBOARD=$(curl -w '%{url_effective}' -I -L -s -S ${GITHUB_URL}/latest -o /dev/null | sed -e 's|.*/||')
# 这一步如果无法正常安装可以考虑 方案二
$ sudo k3s kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/${VERSION_KUBE_DASHBOARD}/aio/deploy/recommended.yaml
# 方案二
$ echo https://raw.githubusercontent.com/kubernetes/dashboard/${VERSION_KUBE_DASHBOARD}/aio/deploy/recommended.yaml
# 输出如下信息
https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml
# 手动下载
$ cd ~
$ sudo vi dashboard.yaml
# 内容见附录1 标记#新增部分
$ sudo k3s kubectl create -f ~/dashboard.yaml
# 输出如下信息
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
需要调整部分,见#
部分
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort # 增加NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 31001 # 增加暴露外部端口,后边webUI访问时用到
selector:
k8s-app: kubernetes-dashboard
-
安装
sudo k3s kubectl create -f ./dashboard.yaml
-
仪表板 RBAC 配置 ,照搬官方文档
重要提示:在本指南中创建的
admin-user
将在仪表板中拥有管理权限。创建以下资源清单文件:
dashboard.admin-user.yml
apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard
dashboard.admin-user-role.yml
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard
部署
admin-user
配置:$ sudo k3s kubectl create -f dashboard.admin-user.yml -f dashboard.admin-user-role.yml
获取持有者令牌
$ sudo k3s kubectl -n kubernetes-dashboard create token admin-user # token eyJhbGciOiJSUzI1NiIsImtpZCI6Ii01UEFJbUoyaG1SZTRvU2l2VGtwSjBqQmdQb2QyaFY0cVdiLUdMUkYyNzAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNjc5NTY1MjA1LCJpYXQiOjE2Nzk1NjE2MDUsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhZG1pbi11c2VyIiwidWlkIjoiMzE4YmI2NTctNzIxZS00YWE1LWIzZjMtN2Q4NGI4MzA3Yjg3In19LCJuYmYiOjE2Nzk1NjE2MDUsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDphZG1pbi11c2VyIn0.1ZwyDHovvpXGGvvTYmVjDYVDrBACtEl7WUGe5jTACfmeJE2IOdfrsrmnU5UYCv8eHHFQVVhjGWSSeYWi8-58HJCKEMGM1m7jkwQFpcVXM6eI32w4__oayJ4ieeWD7sfriZt5KzxQJ6bVamrU7yuzACtUTII-XqmABT0CZZkbn3sn-Ik3Yf7hr6Y-FsCOt47gWcmVoM7qLOMwOZ75n8EebsZ4Qqfn7XYcsn77gUb1KXkMaB_hwZT5DMtcBqnETSLViUFfRxVC19kvy4SweQ_slsFNwqw0IKbYCaSykagg-g8OJbl0I_fIK9QG12zVXwdbe8fMk1X9HdfBzHx0hAwANQ
-
启动Kubernetes Dashboard
# 注意 disable-filter # 为测试用,此处为了省去生成证书所以添加这个参数 $ sudo k3s kubectl proxy --address=k8s1 --disable-filter=true [sudo] password for k8s1: W0323 09:23:52.802295 97776 proxy.go:175] Request filter disabled, your proxy is vulnerable to XSRF attacks, please be cautious Starting to serve on 192.168.0.91:8001
访问https://192.168.0.91:31001
就可以看到仪表盘,输入获取持有者令牌
中的token就可以进入
简单示例
配置文件
nginx-deployment.yml
apiVersion: apps/v1 #与k8s集群版本有关,使用 kubectl api-versions 即可查看当前集群支持的版本
kind: Deployment #该配置的类型,我们使用的是 Deployment
metadata: #译名为元数据,即 Deployment 的一些基本属性和信息
name: nginx-deployment #Deployment 的名称
labels: #标签,可以灵活定位一个或多个资源,其中key和value均可自定义,可以定义多组,目前不需要理解
app: nginx #为该Deployment设置key为app,value为nginx的标签
spec: #这是关于该Deployment的描述,可以理解为你期待该Deployment在k8s中如何使用
replicas: 3 #使用该Deployment创建一个应用程序实例
selector: #标签选择器,与上面的标签共同作用,目前不需要理解
matchLabels: #选择包含标签app:nginx的资源
app: nginx
template: #这是选择或创建的Pod的模板
metadata: #Pod的元数据
labels: #Pod的标签,上面的selector即选择包含标签app:nginx的Pod
app: nginx
spec: #期望Pod实现的功能(即在pod中部署)
containers: #生成container,与docker中的container是同一种
- name: nginx #container的名称
image: nginx:alpine #使用镜像nginx创建container,
ports:
- containerPort: 80 #内部服务暴露的端口
nginx-service.yml
apiVersion: v1
kind: Service #该配置的类型,我们使用的是 Service 服务类型
metadata:
name: nginx-service #该服务类型的名称
spec:
selector: #选中的app部署实例
app: nginx #为该Deployment设置key为app,value为nginx的标签
ports: #暴露的端口
- protocol: TCP # 走得tcp 协议
port: 80 #默认端口
targetPort: 80 #内建服务端口
nodePort: 30080 #对外服务端口
type: NodePort
运行
$ sudo kubectl create -f nginx-deployment.yml -f nginx-service.yml
# 输出如下信息
deployment.apps/nginx-deployment created
service/nginx-service created
查看服务运行情况
$ sudo kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 3d3h
nginx-service NodePort 10.43.206.202 <none> 80:30080/TCP 52s
访问http://192.168.0.131:30080
,即可看到熟悉的nginx默认页面。
附录1
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort # 新增信息
ports:
- port: 443
targetPort: 8443
nodePort: 31001 # 新增信息
selector:
k8s-app: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.7.0
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.8
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
写在最后
有社区版K3D可以更快速的部署K3S, 且支持阿里云、腾讯云、native等。