Kubernetes(K8s)最新版搭建

Kubernetes简单介绍

Kubernetes意为舵手,简称K8s。
前身是Google的Borg。所以一开源就吸引了一大批注意力。
因为谷歌,所以墙。在国内搭建K8s非常头疼。
下面我就来介绍一下,怎么绕过墙来部署k8s。

环境准备

节点操作系统IP
masterCentOS7192.168.191.138
worker1CentOS7192.168.191.139
worker2CentOS7192.168.191.140

小贴士:
根据实际环境灵活变动ip和节点数量

初始化环境

#关闭防火墙和SElinux
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
#永久关闭交换分区
swapoff -a
sysctl -w vm.swappiness=0
vim /etc/fstab	#注释掉交换分区挂载
#分别修改主机名
hostnamectl --static set-hostname master
hostnamectl --static set-hostname worker1
hostnamectl --static set-hostname worker2
#logout重新登陆即可生效
#设置主机名映射
vim /etc/hosts		#添加以下内容并ping测试
	192.168.191.138	master
	192.168.191.139	worker1
	192.168.191.140	worker2

安装Docker

所有节点都要安装

# step 1: 安装必要的一些系统工具:
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
# Step 2: 添加软件源信息:
sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# Step 3: 更新并安装 Docker-CE:
sudo yum makecache fast
sudo yum -y install docker-ce
# Step 4:开启Docker服务:
sudo systemctl start docker
sudo systemctl enable docker
# Step 5:设置Docker镜像源:
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["<加速器地址>"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker

小贴士:
加速器地址可以在阿里云上容器镜像服务中的镜像加速器获得。

安装kubelet、kubeadm、kubectl

所有节点都要安装

x86使用这个软件源:

#设置kubernetes软件源
cat>>/etc/yum.repos.d/kubernetes.repo<<EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
EOF

arm使用这个软件源:

cat>>/etc/yum.repos.d/kubernetes.repo<<EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-aarch64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

安装:

yum clean all && yum makecache
yum install -y kubelet kubeadm kubectl
kubectl version		#查看kubectl(很重要)

所有节点修改cgroup driver

不改的话在kubeadm initkubeadm join会出现报错:It seems like the kubelet isn’t running or healthy.

参考文档:

  • https://stackoverflow.com/questions/52119985/kubeadm-init-shows-kubelet-isnt-running-or-healthy
  • https://www.cnblogs.com/architectforest/p/12988488.html
vim /etc/docker/daemon.json
	{
		"exec-opts": ["native.cgroupdriver=systemd"]
	}
systemctl daemon-reload
systemctl restart docker

K8s初始化

在Master上执行。

# 192.168.191.138是master的ip
# --image-repository=registry.aliyuncs.com/google_containers是从阿里云代理下载,国内被墙会失败
kubeadm init --apiserver-advertise-address 192.168.191.138 --pod-network-cidr=10.10.0.0/16 --image-repository=registry.aliyuncs.com/google_containers
# 保存输出信息中的加入集群命令,后面会用到。

设置环境变量:(具体可以上面kubeadm init 命令为准)

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
#配置 kubectl并验证
echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> /etc/profile
source /etc/profile 
echo $KUBECONFIG			#查看是否输出正确内容

设置系统参数

不设置此参数就会出现这个问题:https://blog.csdn.net/alex_yangchuansheng/article/details/120031108

# 所有节点都运行
sysctl net.bridge.bridge-nf-call-iptables=1
echo "1" >/proc/sys/net/bridge/bridge-nf-call-iptables

设置K8s自启

# 所有节点运行
systemctl enable kubelet

Master安装Pod网络

Pod网络用于Pod之间进行通信。这里我们选用flannel网络方案。

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

节点加入集群

具体请以在K8s初始化(kubeadmin init)时的输出信息为准。

kubeadm join 192.168.191.138:6443 --token x0vkbm.4hlahqu9kg8bjcw6 \
    --discovery-token-ca-cert-hash sha256:186f52874bd90801d8a3bda948c196d708953b8d8761aaa061082c51a525fbf3

检查各节点状态:

kubectl get nodes		#新加入节点将会从NotReady慢慢转换成Ready状态

到这里,k8s就安装好了。

常见问题

  • 问:宿主机重启后k8s无法启动。
    答:可以重新kubeadm init

下载Dashboard

小贴士:
可以在https://github.com/kubernetes/dashboard/releases上查看最新版本

#所有节点下载
docker pull docker.io/mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1

安装Dashboard

#这里master上运行
建议使用notepad++保存后上传。

vim kubernetes-dashboard.yaml
#添加以下内容,注意修改其中的一处:kubernetes-dashboard版本(拉取的是什么就使用什么)

# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# ------------------- Dashboard Secret ------------------- #

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1beta2
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: docker.io/mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          - --token-ttl=5400
          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        hostPath:
          path: /var/share/certs
          type: Directory
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 31234
  selector:
    k8s-app: kubernetes-dashboard
  type: NodePort
kubectl create -f kubernetes-dashboard.yaml

生成私钥和证书签名

#所有节点创建目录
mkdir -p /var/share/certs
#master上生成
openssl genrsa -des3 -passout pass:x -out dashboard.pass.key 2048
openssl rsa -passin pass:x -in dashboard.pass.key -out dashboard.key
rm dashboard.pass.key
openssl req -new -key dashboard.key -out dashboard.csr		#一直回车即可

openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt
scp dashboard.key dashboard.crt /var/share/certs/

配置dashboard-user-role.yaml

#master执行
vim dashboard-user-role.yaml
#添加以下内容
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: admin
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: admin
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
kubectl create -f dashboard-user-role.yaml

查看集群情况

kubectl get pods --all-namespaces -o wide		#等待Pod均为Running即成功

#查看Web登访问Token
kubectl describe secret/$(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system

#查看Dashboard映射端口
kubectl get svc -n kube-system kubernetes-dashboard

Web访问

  • 使用火狐浏览器,其他浏览器不能保证能访问成功。
  • https://192.168.191.138:31234
  • 使用Token登陆
鸣谢

感谢这个老哥给的提示https://www.cnblogs.com/51wansheng/p/10298349.html

posted @ 2019-04-19 17:13  NetRookieX  阅读(3)  评论(0编辑  收藏  举报