第二节Kubernetes 安装部署
一、常见的K8S安装部署方式:
(1)Minikube 单节点微型K8S,仅供学习预览
Documentation--Try Kubernetes--Hello Minikube--Launch Terminal
$kubectl get pods -n kube-system
(2)二进制安装部署(生产首先,新手推荐)
(3)使用kubeadmin进行部署,K8S的部署工具,跑在K8S里(相对简单,熟手推荐)
ps:https://blog.stanley.wang
#yum install epel-release #centos7.6 5台 #curl -o /etc/yum.repo.d/epel.repo http://mirrors.aliyum.com/repo/epel-7.repo # yum install wget net-tools telnet tree nmap sysstat lrzsz bind-utils dos2unix -y hdss7-11上安装dns 配置bind9 #yum install bind -y #vi /etc/named.conf listen-on port 53 { 10.27.61.11; }; 监听本机端口 allow-query { any; }; forwarders { 10.27.61.254; }; recursion yes;递归查询yes,(迭代查询) dnssec-enable no; dnssec-validation no; 检查配置 #named-checkconf 区域配置文件 # vim /etc/named.rfc1912.zones zone "host.com" IN { type master; file "host.com.zone"; allow-update { 10.27.61.11; }; }; zone "od.com" IN { type master; file "od.com.zone"; allow-update { 10.27.61.11; }; }; 配置区域数据文件 /var/named/host.com.zone $ORIGIN host.com. $TTL 600 ; 10 minutes @ IN SOA dns.host.com. dnsadmin.host.com. ( 2021110201 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.host.com. $TTL 60 ; 1 minute AAAA ::1 dns A 10.27.61.11 HDSS7-11 A 10.27.61.11 HDSS7-12 A 10.27.61.12 HDSS7-21 A 10.27.61.13 HDSS7-22 A 10.27.61.15 HDSS7-200 A 10.27.61.16 配置业务域配置文件 /var/named/od.com.zone $ORIGIN od.com. $TTL 600 ; 10 minutes @ IN SOA dns.od.com. dnsadmin.od.com. ( 2021110201 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS dns.od.com. $TTL 60 ; 1 minute dns A 10.27.61.11 # 检查配置 #named-checkconf 7-11 ~]# systemctl start named 7-11 ~]# netstat -ntplu |grep 53 tcp 0 0 10.227.6.11:53 0.0.0.0:* LISTEN 23383/named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 23383/named tcp6 0 0 ::1:953 :::* LISTEN 23383/named udp 0 0 10.227.6.11:53 0.0.0.0:* 23383/named 验证 #
附:Kubernetes集群架构图
二、部署前置工作
1,安装bind
主机命名规则之一:主机名不与业务有关系:地域+IP段的后两位
1.调整操作系统:
所有主机上:
调整yum源:
1.安装epel-release
# yum install -y epel-release
2.安装必要工具
# yum install -y wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils
查看内核版本,运行docker需要3.8以上,查看的为3.10
# uname -a
3.在hdss7-11安装Bind
[root@hdss7-11 ~]# yum install -y bind
[root@hdss7-11 ~]# rpm -qa bind
配置bind
[root@hdss7-11 ~]# vi /etc/named.conf # BIND进程的工作属性,区域的定义
13 listen-on port 53 { 192.168.154.11; }; # 监听本机IP
14 listen-on-v6 port 53 { ::1; }; # 删除,不监听IPV6
20 allow-query { any; }; # 允许所有主机查看
21 forwarders { 192.168.154.2; }; # 办公网上一级的DNS
33 recursion yes; # dns采用递归的查询
35 dnssec-enable no; # 关闭,节省资源(生产可能不需要关闭)
36 dnssec-validation no; # 关闭,节省资源,不做互联网认证
检查配置文件是否正确
[root@hdss7-11 ~]# named-checkconf
[root@hdss7-11 ~]# echo $?
0
配置区域配置文件
[root@hdss7-11 ~]# vi /etc/named.rfc1912.zones
# 最后添加
zone "host.com" IN {
type master;
file "host.com.zone";
allow-update { 192.168.154.11; };
};
zone "od.com" IN {
type master;
file "od.com.zone";
allow-update { 192.168.154.11; };
};
配置区域数据文件
[root@hdss7-11 ~]# vi /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes # 过期时间2019.12.09+01序号
@ IN SOA dns.host.com. dnsadmin.host.com. ( # 区域授权文件的开始,OSA记录,dnsadmin.host.com为邮箱
2019120901 ; serial # 安装的当天时间
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com. # NS记录
$TTL 60 ; 1 minute
dns A 192.168.154.11 # A记录
HDSS7-11 A 192.168.154.11
HDSS7-12 A 192.168.154.12
HDSS7-21 A 192.168.154.21
HDSS7-22 A 192.168.154.22
HDSS7-200 A 192.168.154.200
[root@hdss7-11 ~]# vi /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2019120901 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 192.168.153.11
检查配置文件是否正确
[root@hdss7-11 ~]# named-checkconf
[root@hdss7-11 ~]# echo $?
0
检测区域数据文件
[root@hdss7-11 named]# named-checkzone "host.com" /var/named/host.com.zone
zone host.com/IN: loaded serial 2019121001
OK
[root@hdss7-11 named]# named-checkzone "od.com" /var/named/od.com.zone
zone od.com/IN: loaded serial 2019120901
OK
更改文件的属组,权限
[root@hdss7-11 named]# chown root:named /var/named/host.com.zone
[root@hdss7-11 named]# chown root:named /var/named/od.com.zone
[root@hdss7-11 named]# chmod 640 /var/named/host.com.zone
[root@hdss7-11 named]# chmod 640 /var/named/od.com.zone
启动named
[root@hdss7-11 named]# systemctl restart named
[root@hdss7-11 named]# systemctl enable named
查看启动端口
[root@hdss7-11 named]# netstat -luntp | grep 53
验证解析
[root@hdss7-11 named]# dig -t A hdss7-21.host.com @192.168.153.11 +short
192.168.153.21
[root@hdss7-11 named]# dig -t A hdss7-200.host.com @192.168.153.11 +short
更改客户端dns
[root@hdss7-11 named]# vi /etc/sysconfig/network-scripts/ifcfg-ens33
DNS1="192.168.153.11"
[root@hdss7-11 named]# systemctl restart network
[root@hdss7-11 named]# cat /etc/resolv.conf
# Generated by NetworkManager
search host.com
nameserver 192.168.153.11
[root@hdss7-11 named]# ping hdss7-21.host.com
添加主机域search host.com使用短域名
[root@hdss7-11 named]# cat /etc/resolv.conf
# Generated by NetworkManager
search host.com
[root@hdss7-11 named]# ping hdss7-21
更改所有主机的DNS,重启网卡
# vi /etc/sysconfig/network-scripts/ifcfg-ens33
DNS1="192.168.153.11"
# systemctl restart network
将虚拟机的网卡DNS也改成192.168.153.11 IPV4 -- 高级 -- 越点改成20
将本机的网卡DNS也改成192.168.153.11 IPV4 -- 高级 -- 越点改成20
2,准备签发证书环境
准备签发证书环境
运维主机 HDSS7-200.host.com上:
安装CFSSL
证书签发工具CFSSL:R1.2
cfssl下载地址
cfssl-json下载地址
cfssl-certinfo下载地址
[root@hdss7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
[root@hdss7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
[root@hdss7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
chmod +x /usr/bin/cfssl*
root@hdss7-200 ~]# which cfssl-certinfo
签发证书
[root@hdss7-200 ~]# cd /opt/
[root@hdss7-200 opt]# mkdir certs
[root@hdss7-200 opt]# cd certs/
[root@hdss7-200 ~]# vi /opt/certs/ca-csr.json
签发根证书 -- 创建生成CA证书签名请求(csr)的JSON配置文件
{
"CN": "OldboyEdu", # 机构名称,浏览器使用该字段验证网站是否合法,一般写的是域名,非常重要,浏览器使用该字段验证网站是否合法
"hosts": [
],
"key": {
"algo": "rsa", # 算法
"size": 2048 # 长度
},
"names": [
{
"C": "CN", # C,国家
"ST": "beijing", # ST 州,省
"L": "beijing", # L 地区 城市
"O": "od", # O 组织名称,公司名称
"OU": "ops" # OU 组织单位名称,公司部门
}
],
"ca": {
"expiry": "175200h" # expiry 过期时间,任何证书都有过期时间.20年
}
}
签发承载式证书
[root@hdss7-200 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
[root@hdss7-200 certs]# ll
总用量 16
-rw-r--r-- 1 root root 993 12月 10 11:54 ca.csr
-rw-r--r-- 1 root root 328 12月 10 11:53 ca-csr.json
-rw------- 1 root root 1679 12月 10 11:54 ca-key.pem # 根证书的私钥
-rw-r--r-- 1 root root 1346 12月 10 11:54 ca.pem # 根证书
3,node节点docker环境
3.部署docker环境
在node主机与运维主机上:21、22、200
[root@hdss7-200 ]# curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
[root@hdss7-200 ]# mkdir -p /etc/docker
[root@hdss7-200 ]# mkdir -p /data/docker
[root@hdss7-200 ]# vi /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
"bip": "172.7.200.1/24", # 定义k8s主机上k8s pod的ip地址网段
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
[root@hdss7-200 ~]# systemctl start docker
[root@hdss7-200 ~]# systemctl enable docker
[root@hdss7-21 ]# vi /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
"bip": "172.7.21.1/24", # 定义k8s主机上k8s pod的ip地址网段
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
[root@hdss7-22 ]# vi /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
"bip": "172.7.22.1/24", # 定义k8s主机上k8s pod的ip地址网段
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
4,准备harbor搭建
安装1.7.6以上版本
# 1.9.1不能用,添加dashboard.od.com会无法push
[root@hdss7-200 ~]# mkdir /opt/src
[root@hdss7-200 ~]# cd /opt/src/
[root@hdss7-200 src]# ls
harbor-offline-installer-v1.9.1.tgz
[root@hdss7-22 src]# tar zxvf harbor-offline-installer-v1.8.0.tgz -C /opt/
# 把软件包做版本标识,做一个软链接,便于以后升级
[root@hdss7-200 src]# cd ..
[root@hdss7-200 opt]# mv harbor/ harbor-v1.8.0
[root@hdss7-200 opt]# ln -s /opt/harbor-v1.8.0/ /opt/harbor
[root@hdss7-200 opt]# ll
总用量 0
drwx--x--x 4 root root 28 12月 10 14:30 containerd
lrwxrwxrwx 1 root root 19 12月 10 15:00 harbor -> /opt/harbor-v1.8.0/
drwxr-xr-x 2 root root 100 12月 10 14:58 harbor-v1.8.0
drwxr-xr-x 2 root root 49 12月 10 14:56 src
编辑harbor文件
[root@hdss7-200 opt]# cd harbor
[root@hdss7-200 harbor]# vi harbor.yml
5 hostname: harbor.od.com
10 port: 180
27 harbor_admin_password: Harbor12345
40 data_volume: /data/harbor
87 location: /data/harbor/logs # 更改日志存储路径
[root@hdss7-200 harbor]# mkdir -p /data/harbor/logs
单机编排工具
[root@hdss7-200 harbor]# yum install -y docker-compose
[root@hdss7-200 harbor]# rpm -qa docker-compose
docker-compose-1.18.0-4.el7.noarch
安装
[root@hdss7-200 harbor]# ./install.sh
[root@hdss7-200 harbor]# docker-compose ps
每次重启docker需要执行
[root@hdss7-200 harbor]# docker-compose up -d
安装nginx做反向代理
[root@hdss7-200 harbor]# yum install -y nginx
[root@hdss7-200 harbor]# vi /etc/nginx/conf.d/harbor.od.com.conf
server {
listen 80;
server_name harbor.od.com;
client_max_body_size 1000m;
location / {
proxy_pass http://127.0.0.1:180;
}
}
检测配置文件
[root@hdss7-11 harbor]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@hdss7-11 harbor]# systemctl start nginx
[root@hdss7-11 harbor]# systemctl enable nginx
dns服务器
[root@hdss7-11 named]# vi /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.od.com. dnsadmin.od.com. (
2019120902 ; serial # 往后滚动一个记录编号02,每次更改配置,必须滚动一个序号
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.od.com.
$TTL 60 ; 1 minute
dns A 192.168.153.11
harbor A 192.168.153.200
[root@hdss7-11 named]# systemctl restart named
验证
[root@hdss7-11 named]# dig -t A harbor.od.com +short
http://harbor.od.com/
新建一个public项目,公开
[root@hdss7-200 harbor]# docker pull nginx:1.7.9
[root@hdss7-200 harbor]# docker tag nginx:1.7.9 harbor.od.com/public/nginx:v1.7.9
[root@hdss7-200 harbor]# docker login harbor.od.com
[root@hdss7-200 harbor]# docker push harbor.od.com/public/nginx:v1.7.9
比较好的笔记
(1)https://www.cnblogs.com/linuxk/category/1248289.html?page=2
(2)https://www.cnblogs.com/gshelldon/p/14735378.html
