一直以来部署 kubernetes 都非常难,因为需要专业 SltStack、Ansilbe 等专业运维工具,本文介绍使用 kubeadm 来部署 kubernetes 环境.
另外在极客时间卖桃者说第 193 期介绍了 kubeadm 部署 kubernetes,其中提到了一个思想"要真正发挥容器技术的实力,你就不仅仅局限于对 Linux 容器本身的钻研和使用".
所以建议我们来亲手部署一套环境后,再来慢慢深入学习其中的奥秘.
如果没有服务器,可以在阿里云上按照流量租几台服务器,
这几个服务器最好是一个区的并且在一个内网网段上.
| 主机名 | IP | 角色 |
|---|---|---|
| k8s-master | 192.168.1.1 | master 节点 |
| k8s-node01 | 192.168.1.2 | 集群 worke 节点 |
kubeadm 能帮助您建立一个小型的符合最佳实践的 Kubernetes 集群工具.
https://github.com/kubernetes/kubeadm
kubeadm 的整体功能目前还是 Beta 状态,不太适部署在生成环境中.
重新登录服务器才生效
[root@centos01 ~]# hostnamectl set-hostname k8s-master
[root@centos02 ~]# hostnamectl set-hostname k8s-node01
[root@centos01 ~]# systemctl disable firewalld
[root@centos01 ~]# systemctl stop firewalld
[root@centos01 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
[root@centos01 ~]# vim /etc/sysctl.d/k8s.conf
## 添加如下内容
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
## 执行命令生效
[root@centos01 ~]# modprobe br_netfilter
[root@centos01 ~]# sysctl -p /etc/sysctl.d/k8s.conf
在 master 节点进行对 2 台 node 节点进行免密钥登陆
[root@k8s-master ~]# ssh-keygen
[root@k8s-master ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@10.10.0.11
[root@k8s-master ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@10.10.0.12
yum 源三台机器都需要配置,这里我们以 master 主机为例,node 节点也按照此 yum 配置即可
[root@k8s-master ~]# yum -y install wget
[root@k8s-master ~]# cd /etc/yum.repos.d
## 配置docker-ce源
[root@k8s-master yum.repos.d]# wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
## 配置kubernetes源
[root@k8s-master yum.repos.d]# vim /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes Repo
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
enabled=1
## 下载校验文件
[root@k8s-master ~]# wget https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
[root@k8s-master ~]# wget https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
## 导入校验文件
[root@k8s-master ~]# rpm --import rpm-package-key.gpg
[root@k8s-master ~]# rpm --import yum-key.gpg
[root@k8s-master ~]# yum clean all && yum makecache fast
[root@k8s-master ~]# yum install kubelet-1.14.1 kubeadm-1.14.1 kubectl-1.14.1 docker-ce -y
## node节点无需配置kubctl组件
[root@k8s-node01 ~]# yum install kubelet-1.14.1 kubeadm-1.14.1 docker-ce -y
[root@k8s-node02 ~]# yum install kubelet-1.14.1 kubeadm-1.14.1 docker-ce -y
## 设置kubelet启动时忽略swap报错
[root@k8s-master ~]# vim /etc/sysconfig/kubelet
KUBELET_EXTRA_ARGS="--fail-swap-on=false"
## 设置开机自启动
[root@k8s-master ~]# systemctl daemon-reload
[root@k8s-master ~]# systemctl enable docker && systemctl restart docker
[root@k8s-master ~]# systemctl enable kubelet && systemctl restart kubelet
kubernetes 从 1.13 版本开始,可以指定镜像仓库进行集群初始化操作,所以我们直接指定阿里云镜像仓库进行集群初始化,这样无需再关心国内网络环境是否可以下载到对应的官方原始 pod 镜像
[root@k8s-master ~]# swapoff -a
[root@k8s-master ~]# kubeadm init --apiserver-advertise-address=10.10.0.10 \
--image-repository registry.aliyuncs.com/google_containers \
--kubernetes-version v1.14.1 \
--pod-network-cidr=10.244.0.0/16
参数解释:
初始化 master 的相关日志如下
........
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 10.10.0.10:6443 --token 5ti5kd.o32bm9lofv6zej94 \
--discovery-token-ca-cert-hash sha256:cd778ad01bdbc656eaff7d3b1273691f0070ebbadd2f1b8a3189a6dc1e88f39f
[root@k8s-master ~]# mkdir -p $HOME/.kube
[root@k8s-master ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@k8s-master ~]# chown $(id -u):$(id -g) $HOME/.kube/config
## 查看集群信息
[root@k8s-master ~]# kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-0 Healthy {"health":"true"}
## 查看node就绪状态
### 由于还没有安装网络插件,以及node节点未加入集群,所以只显示一个master节点信息
[root@k8s-master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master NotReady master 7m33s v1.14.1
集群的运行依赖于网络,k8s 本身并不支持网络,需要额外部署对应的网络插件,才可实现集群的个组件网络通信。我们这里采用 flannel 作为集群网络插件。
项目地址:https://github.com/coreos/flannel
## 在线部署
[root@k8s-master ~]# kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
## 或者把清单配置文件下载本地再执行清单文件应用
[root@k8s-master ~]# mkdir /opt/k8s/flannel
[root@k8s-master ~]# cd /opt/k8s/flannel
[root@k8s-master ~]# wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
[root@k8s-master ~]# kubectl apply -f kube-flannel.yml
node 节点加入集群操作基本一致,这里以其中一台为例。kubeadm join 命令为 master 节点初始化成功后显示的命令,上文已经提到过。
swapoff -a
kubeadm join 10.10.0.10:6443 --token 5ti5kd.o32bm9lofv6zej94 \
--discovery-token-ca-cert-hash sha256:cd778ad01bdbc656eaff7d3b1273691f0070ebbadd2f1b8a3189a6dc1e88f39f
kubectl get nodes
kubeadm reset
ifconfig cni0 down && ip link delete cni0
ifconfig flannel.1 down && ip link delete flannel.1
rm -rf /var/lib/cni/
kubernetes-dashboard 是一个 kubernetes 可视化 web 操作平台.
kubectl apply -f http://mirror.faasx.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
# admin-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
执行命令: kubectl create -f admin-user.yaml
# admin-user-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
https://121.43.234.42:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
kubeadm token list
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXRwcG04Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2MTgxNGE2YS00NGVhLTExZWEtOWZmZi0wMDE2M2ViYzE5YmMiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.V1Z50nShNQCwlsP4xPWbZawRWaZxUTn96NSUB8DDq5Ux6eNf1IePFYVU0DS6MK1eitoq93VxH7dRybifaYCNYgA8AM_6P6CMRmFob96W3LXjnSyBlq9dxd_T_dgPeeo5hvL9ZGt0vDFQk4U7BAKNipGUWIBCjT4BsimzTe7d3CyV4uc8pK84hFRPY8286N524lm8wYN3_HOun51SqjG1a8C3D_TTm0cQXMuyIrz3aUSKCVv9qLJIzZOckEQ-MrKACU_b18K4Zm_8ATcsh6jQhM_GFTHnudLMM0k0vqozLF_tsXjBLsrePe_n5kg-jewbUYVkRPE7pltHZ6DQG-wrmw
k8s 提供了几种访问方式,比如代理、apiserver、node 等
kubectl apply -f http://mirror.faasx.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
启动代理
kubectl proxy --address='0.0.0.0' --port=8888 --accept-hosts='^*$'
这种访问无法登录.
https://121.43.234.42:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
这是因为最新版的 k8s 默认启用了 RBAC,并为未认证用户赋予了一个默认的身份:anonymous。
cp /etc/kubernetes/admin.conf $HOME/.kube/config
# 生成client-certificate-data
grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
# 生成client-key-data
grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
# 生成p12
openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
由于证书问题,我们无法访问,需要在部署 Dashboard 时指定有效的证书,才可以访问。由于在正式环境中,并不推荐使用 NodePort 的方式来访问 Dashboard.
https://121.43.234.42:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/overview?namespace=default
iptables -P FORWARD ACCEPT
以 nginx 为例,部署测试服务.
kubectl create deployment nginx --image=nginx
kubectl expose deployment nginx --port=80 --type=NodePort
kubectl get pods
nginx-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
默认部署在 default namespace
kubectl apply -f nginx-deployment.yaml
kubectl get deployments
kubectl describe pod demo-tomcat-6894dcb86b-jtbmt
kubectl get pod --namespace=kube-system -o wide | grep dashboard
kubectl get pods --all-namespaces -o wide
kubectl get services --all-namespaces
curl http://127.0.0.1:8080
kubectl get pods --namespace=kube-system
在生产环境下,在面临服务需要扩容的场景时,可以使用 Deployment/RC 的 Scale 机制来实现。
Kubernetes 支持对 Pod 的手动扩容和自动扩容
kubectl scale deployment nginx-deployment --replicas=4
kubectl scale deployment nginx-deployment --replicas=2
kubeadm 部署 kubernetes 相比其他工具简单了不少,大概花费 2 小时之内就能部署成功.
另外今年把学习 k8s 加入了学习清单中,推荐在极客时间上学习 k8s 的一门课"深入剖析 kubernetes"
解决 Centos7 下 Kubernetes(k8s) 部署好之后无法访问 dashboard
https://blog.csdn.net/fei79534672/article/details/78710858
kubernetes 浏览器访问 kube-apiserver 安全端口
https://www.orchome.com/1204
kubernetes-dashboard(1.8.3) 部署与踩坑
https://www.cnblogs.com/RainingNight/p/deploying-k8s-dashboard-ui.html
kubeadm 部署 kubernetes1.14
https://www.cnblogs.com/tchua/p/10897980.html
Kubernetes Handbook——Kubernetes 中文指南/云原生应用架构实践手册
https://jimmysong.io/kubernetes-handbook/
安装 dashboard 插件
https://jimmysong.io/kubernetes-handbook/practice/dashboard-addon-installation.html
k8s 容器,并供外部访问
https://blog.csdn.net/myth_g/article/details/85128716
