介绍
kubeadm和二进制安装备受关注,在生产环境中可以用kubeadm创建吗?如果仅仅只是使用,不打算做一些扩展或开发,没有问题。所以想用于生产环境也是可以的,别觉得是不是没有二进制好啊。
本次实验环境如下:
主机名 | IP | 系统 | CPU | 内存 |
---|---|---|---|---|
k8s-master | 10.0.0.101 | centos7.5 | 2cpu | 2G |
node1 | 10.0.0.102 | centos7.5 | 2cpu | 2G |
node2 | 10.0.0.103 | centos7.5 | 2cpu | 2G |
安装要求
内存不要低于2G,保证三台机器网络互通,可以访问外网拉取镜像
禁止swap
环境准备
关闭防火墙
关闭selinux
关闭swap
设置主机名
在master端添加所有节点hosts解析记录
所有机器时间同步
所有节点执行
将桥接的IPv4流量传递到iptables的链:
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system # 生效
安装docker
所有节点中安装docker
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
yum -y install docker-ce
systemctl enable docker && systemctl start docker
修改国内镜像源
cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://n6ei3rs2.mirror.aliyuncs.com"]
}
EOF
systemctl restart docker # 一定要重启
docker info
安装kubeadm、kubelet和kubectl
添加YUM源
cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
安装时指定版本号,官方更新比较快
yum install -y kubelet-1.19.0 kubeadm-1.19.0 kubectl-1.19.0
systemctl enable kubelet
部署kubernetes Master节点
官方文档参考
https://kubernetes.io/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#initializing-your-control-plane-node
在Master上执行:
kubeadm init \
--apiserver-advertise-address=10.0.0.101 \
--image-repository registry.aliyuncs.com/google_containers \
--kubernetes-version v1.19.0 \
--service-cidr=10.96.0.0/12 \
--pod-network-cidr=10.244.0.0/16 \
--ignore-preflight-errors=all
- –apiserver-advertise-address 集群通告地址
- –image-repository 由于默认拉取镜像地址k8s.gcr.io国内无法访问,这里指定阿里云镜像仓库地址
- –kubernetes-version K8s版本,与上面安装的一致
- –service-cidr 集群内部虚拟网络,Pod统一访问入口
- –pod-network-cidr Pod网络,,与下面部署的CNI网络组件yaml中保持一致
或者使用配置文件引导也是可以的
vim kubeadm.conf
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.18.0
imageRepository: registry.aliyuncs.com/google_containers
networking:
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
kubeadm init --config kubeadm.conf --ignore-preflight-errors=all
看到如下提示表示初始化成功:
...
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 10.0.0.101:6443 --token sw1sl7.edpif8zf97hq4it2 \
--discovery-token-ca-cert-hash sha256:9dc09829cf52f1daa3d6d336e959f84841d918f6f7b585ec197ddc505c430b60
拷贝kubectl使用的连接k8s认证文件到默认路径:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
[root@k8s-master ~]# ll .kube/
total 8
-rw------- 1 root root 5562 Oct 22 22:47 config
[root@k8s-master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master NotReady master 4m57s v1.19.0
node加入kubernetes集群
使用master提供的加入命令
kubeadm join 10.0.0.101:6443 --token sw1sl7.edpif8zf97hq4it2 \
--discovery-token-ca-cert-hash sha256:9dc09829cf52f1daa3d6d336e959f84841d918f6f7b585ec197ddc505c430b60
默认token有效期为24小时,当过期之后,该token就不可用了。这时就需要重新创建token,操作如下:
kubeadm token create
$ kubeadm token list
$ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
63bca849e0e01691ae14eab449570284f0c3ddeea590f8da988c07fe2729e924
$ kubeadm join 192.168.31.61:6443 --token nuja6n.o3jrhsffiqs9swnu --discovery-token-ca-cert-hash sha256:63bca849e0e01691ae14eab449570284f0c3ddeea590f8da988c07fe2729e924
或者直接命令快捷生成:
https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-join/
kubeadm token create --print-join-command
查看node节点
[root@k8s-master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master NotReady master 7m17s v1.19.0
k8s-node1 NotReady <none> 39s v1.19.0
k8s-node2 NotReady <none> 24s v1.19.0
部署容器网络(CNI)
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#pod-network
注意:只需要部署下面其中一个,推荐Calico。
Calico是一个纯三层的数据中心网络方案,Calico支持广泛的平台,包括Kubernetes、OpenStack等。
Calico 在每一个计算节点利用 Linux Kernel 实现了一个高效的虚拟路由器( vRouter) 来负责数据转发,而每个 vRouter 通过 BGP 协议负责把自己上运行的 workload 的路由信息向整个 Calico 网络内传播。
此外,Calico 项目还实现了 Kubernetes 网络策略,提供ACL功能。
https://docs.projectcalico.org/getting-started/kubernetes/quickstart
# 获取yaml
下载完后还需要修改里面定义Pod网络(CALICO_IPV4POOL_CIDR),与前面kubeadm init指定的一样
修改完后应用清单:
kubectl apply -f calico.yaml
kubectl get pods -n kube-system
测试kubernetes集群
- 验证Pod工作
- 验证Pod网络通信
- 验证DNS解析
在Kubernetes集群中创建一个pod,验证是否正常运行:
[root@k8s-master ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-7d569d95-cm46t 0/1 Pending 0 111s
calico-node-4bzfm 1/1 Running 0 111s
calico-node-pkkr5 1/1 Running 0 111s
calico-node-wkcrn 1/1 Running 0 111s
coredns-6d56c8448f-t4lj4 0/1 Pending 0 22m
coredns-6d56c8448f-wgg8t 0/1 Pending 0 22m
etcd-k8s-master 1/1 Running 0 22m
kube-apiserver-k8s-master 1/1 Running 0 22m
kube-controller-manager-k8s-master 0/1 Running 1 22m
kube-proxy-8kxj5 1/1 Running 0 16m
kube-proxy-gk9ql 1/1 Running 0 22m
kube-proxy-shh6z 1/1 Running 0 15m
kube-scheduler-k8s-master 0/1 Running 2 22m
[root@k8s-master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 23m v1.19.0
k8s-node1 Ready <none> 17m v1.19.0
k8s-node2 Ready <none> 17m v1.19.0
[root@k8s-master ~]# kubectl create deployment nginx --image=nginx
deployment.apps/nginx created
[root@k8s-master ~]# kubectl expose deployment nginx --port=80 --type=NodePort
service/nginx exposed
[root@k8s-master ~]# kubectl get pods,services
NAME READY STATUS RESTARTS AGE
pod/nginx-6799fc88d8-sp5gh 1/1 Running 0 41s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 25m
service/nginx NodePort 10.107.192.145 <none> 80:32616/TCP 14s
可以通过http://nodeIP:32616
访问
布署Dashboard
默认Dashboard只能集群内部访问,修改Service为NodePort类型,暴露到外部:
vim recommended.yaml
......
应用清单并检查
[root@k8s-master ~]# kubectl apply -f recommended.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
[root@k8s-master ~]# kubectl get pods -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-7b59f7d4df-bc9xf 1/1 Running 0 20s
kubernetes-dashboard-5dbf55bd9d-7j24x 1/1 Running 0 20s
测试访问:https://nodeIP:30001
此时我们需要一个token
创建service account并绑定默认cluster-admin管理员集群角色:
创建用户
kubectl create serviceaccount dashboard-admin -n kube-system
用户授权
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
获取用户Token
kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
将生成的token复制到登陆界面
写的很好。
快速在docker中启动一个mysql数据库
docker run -d --name mysql -v ~/mysql/data:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=a111111 -p 3306:3306 mysql:5.7
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'a111111' WITH GRANT OPTION;
FLUSH PRIVILEGES;
一、临时生效,重启失效
1、sysctl -w net.ipv4.ip_forward=1
2、echo 1 > /proc/sys/net/ipv4/ip_forward
二、永久生效
修改 /etc/sysctl.conf,增加一条:net.ipv4.ip_forward = 1
要想是更改生效,你需要执行以下指令:
sysctl -p /etc/sysctl.conf