20210911第五天：初识Kubernetes和使用Kubeasz部署一个集群

一、Kubernetes是什么及其架构

1.1、kubernetes是什么？

　　Kubernetes是Google开源的一个容器编排引擎，它支持自动化部署、大规模可伸缩、应用容器化管理。在生产环境中部署一个应用程序时，通常要部署该应用的多个实例以便对应用请求进行负载均衡。在Kubernetes中，我们可以创建多个容器，每个容器里面运行一个应用实例，然后通过内置的负载均衡策略，实现对这一组应用实例的管理、发现、访问，而这些细节都不需要运维人员去进行复杂的手工配置和处理。kubernetes，简称k8s，是用8代替8个字符“ubernete”而成的缩写。不说了，具体详细情况：各位自己搜索吧！

• 官网：https://kubernetes.io/docs/home/
• github：https://github.com/kubernetes/kubernetes

1.2、kubernetes的架构及各个组件介绍

　　话不多说，直接先上一张图看一下（下图来自官网），官网的地址是：https://kubernetes.io/zh/docs/concepts/overview/components/

上图展示了包含所有相互关联组件的 Kubernetes 集群组件，下面分别进行介绍：

控制平面组件

控制平面的组件对集群做出全局决策(比如调度)，以及检测和响应集群事件（例如，当不满足部署的 replicas 字段时，启动新的 pod）。控制平面组件可以在集群中的任何节点上运行。 然而，为了简单起见，设置脚本通常会在同一个计算机上启动所有控制平面组件， 并且不会在此计算机上运行用户容器。 控制平台主要包含如下组件：

• kube-apiserver
• kube-scheduler

• kube-controller-manager
• etcd

kube-apiserver

API 服务器是 Kubernetes 控制面的组件， 该组件公开了 Kubernetes API。 API 服务器是 Kubernetes 控制面的前端。Kubernetes API 服务器的主要实现是 kube-apiserver。 kube-apiserver 设计上考虑了水平伸缩，也就是说，它可通过部署多个实例进行伸缩。 你可以运行 kube-apiserver 的多个实例，并在这些实例之间平衡流量。默认端口是：6443

kube-scheduler

控制平面组件，负责监视新创建的、未指定运行节点（node）的 Pods，选择节点让 Pod 在上面运行。调度决策考虑的因素包括单个 Pod 和 Pod 集合的资源需求、硬件/软件/策略约束、亲和性和反亲和性规范、数据位置、工作负载间的干扰和最后时限。默认端口是：10251

调度步骤如下：

• 通过调度算法为待调度的pod列表中的每个pod从可用node上选择一个最适合的Node
• Node节点上的kubelet会通过Apiserver监听到scheduler产生的pod绑定信息，然后获取pod清单，下载image并启动荣区

Node选择策略：

• LeastRequestedPriority： 优先选择资源消耗最小的节点
• CaculateNodeLabelPriority： 优先选择含有指定label的节点

• BalancedResourceAllocation：优先从备选节点中选择资源使用率最均衡的节点

kube-controller-manager

包括一些子控制器（副本控制器，节点控制器，命名空间控制器和服务账号控制器等），作为集群内部的管理控制中心，负责集群内部的Node，Pod副本，服务端点，namespace，服务账号，资源定额的管理，当某个Node意外宕机时，controller manager会及时发现并执行自动修复流程确保集群中的pod副本数始终处于预期的状态

特点：

• 每隔5s检查一次节点状态
• 如果没有收到自节点的心跳。该节点会被标记为不可达

• 标记为不可达之前会等待40s
• nide节点标记不可达5s之后还没有恢复，controllerManager会删除当前node节点的所有pod并在其他可用节点重建这些pod

etcd

etcd 是兼具一致性和高可用性的键值数据库，作为保存 Kubernetes 所有集群数据的后台数据库；Kubernetes 集群的 etcd 数据库通常需要高可用架构和有个备份计划。生产环境可以单独部署载独立的服务器上，节点数量一般是：3、5、7这样的奇数个数。

工作平面组件（Node）：

kubelet

一个在集群中每个节点（node）上运行的代理。 它保证容器（containers）都运行在 Pod 中。

具体功能如下：

• 向master（api-server）汇报node节点的状态信息
• 接受指令并在pod中创建docker容器

• 准备pod所需要的数据卷
• 返回pod状态

• 在node节点执行容日健康检查

kube-proxy

kube-proxy 是集群中每个节点上运行的网络代理， 实现 Kubernetes 服务（Service）概念的一部分。kube-proxy 维护节点上的网络规则。这些网络规则允许从集群内部或外部的网络会话与 Pod 进行网络通信。如果操作系统提供了数据包过滤层并可用的话，kube-proxy 会通过它来实现网络规则。否则， kube-proxy 仅转发流量本身。

不同版本支持三种工作模式：

• userspace： k8s1.1版本之前使用，1.2之后淘汰
• iptables： k8s1.1版本开始支持，1.2开始为默认

• ipvs： k8s1.9引入，1.11成为正式版本，需要安装ipvsadm，ipset工具包加载ip_vs内核模块

其它插件（Addons）

插件使用 Kubernetes 资源（DaemonSet、 Deployment等）实现集群功能。 因为这些插件提供集群级别的功能，插件中命名空间域的资源属于 kube-system 命名空间。

下面描述众多插件中的几种。有关可用插件的完整列表，请参见 插件（Addons）。

DNS

尽管其他插件都并非严格意义上的必需组件，但几乎所有 Kubernetes 集群都应该 有集群 DNS， 因为很多示例都需要 DNS 服务。集群 DNS 是一个 DNS 服务器，和环境中的其他 DNS 服务器一起工作，它为 Kubernetes 服务提供 DNS 记录。Kubernetes 启动的容器自动将此 DNS 服务器包含在其 DNS 搜索列表中。

Web 界面（仪表盘）

Dashboard 是 Kubernetes 集群的通用的、基于 Web 的用户界面。 它使用户可以管理集群中运行的应用程序以及集群本身并进行故障排除。

容器资源监控

容器资源监控 将关于容器的一些常见的时间序列度量值保存到一个集中的数据库中，并提供用于浏览这些数据的界面。

集群层面日志

集群层面日志 机制负责将容器的日志数据 保存到一个集中的日志存储中，该存储能够提供搜索和浏览接口。

最后，再来看一张K8S的架构图：

1.3、在kubernetes中创建pod的调度流程

　　Pod是Kubernetes中最基本的部署调度单元，可以包含container，逻辑上表示某种应用的一个实例。例如一个web站点应用由前端、后端及数据库构建而成，这三个组件将运行在各自的容器中，那么我们可以创建包含三个container的pod。本文将对Kubernetes的基本处理流程做一个简单的分析，首先先看下面的流程图：

• 1、kubelet client（或restful api等客户端等方式） 端执行kubelet create pod命令提交post kubelet apiserver请求
• 2、apiserver 监听接受到请求：

• 2.1、对请求进行、解析、认证、授权、超时处理、审计通过
• 2.2、pod请求事件进入MUX和route流程，apiserver会根据请求匹配对应pod类型的定义，apiserver会进行一个convert工作，将请求内容转换成super version对象

• 2.3、apiserver会先进行admission() 准入控制，比如添加标签，添加sidecar容器等和校验个字段合法性
• 2.4、apiserver将验证通过的api对象转换成用户最初提交的版本，进行序列化操作，并调用etcd api保存apiserver处理pod事件信息，apiserver把pod对象add到调度队列中

• 3、schedule相关情况：

• 3.1、schedule调度器会通过监听apiserver add到pod对象队列，
• 3.2、调度器开始尝试调度，筛选出适合调度的节点，并打分选出一个最高分的节点

• 3.3、调度器会将pod对象与node绑定，调度器将信息同步apiserver保存到etcd中完成调度

• 4、工作节点上的相关情况：

• 4.1、节点kubelet通过watch监听机制，监听与自己相关的pod对象，kubelet会把相关pod信息podcache缓存到节点内存
• 4.2、kubelet通过检查该pod对象在kubelet内存状态，kubelet就能够判断出是一个新调度pod对象

• 4.3、kubelet会启动 pod update worker、单独goroutine处理pod对象生成对应的pod status，检查pod所生命的volume、网络是否准备好
• 4.4、kubelet调用docker api 容器运行时CRI，发起插件pod所定义容器Container Runtime Interface, CRI请求

• 4.5、docker 容器运行时比如docker响应请求，然后开始创建对应容器

上述太多了点，来个简版的：

1. 用户提交创建Pod的请求，可以通过API Server的REST API ，也可用Kubectl命令行工具，支持Json和Yaml两种格式；
2. API Server 处理用户请求，存储Pod数据到Etcd；
3. Schedule通过和 API Server的watch机制，查看到新的pod，尝试为Pod绑定Node；
4. 过滤主机：调度器用一组规则过滤掉不符合要求的主机，比如Pod指定了所需要的资源，那么就要过滤掉资源不够的主机；
5. 主机打分：对第一步筛选出的符合要求的主机进行打分，在主机打分阶段，调度器会考虑一些整体优化策略，比如把一个Replication Controller的副本分布到不同的主机上，使用最低负载的主机等；
6. 选择主机：选择打分最高的主机，进行binding操作，结果存储到Etcd中；
7. kubelet根据调度结果执行Pod创建操作： 绑定成功后，会启动container, docker run, scheduler会调用API Server的API在etcd中创建一个bound pod对象，描述在一个工作节点上绑定运行的所有pod信息。运行在每个工作节点上的kubelet也会定期与etcd同步bound pod信息，一旦发现应该在该工作节点上运行的bound pod对象没有更新，则调用Docker API创建并启动pod内的容器。

二、使用Kubeasz部署一个集群

2.1 本次实验的相关主机环境情况：

主机IP地址	角色	操作系统	备注
192.168.11.111	部署和客户端	Ubuntu20.04
192.168.11.120	master节点	Ubuntu20.04
192.168.11.130	node节点	Ubuntu20.04
192.168.11.140	Harbor节点	Ubuntu20.04	开启了SSL

 2.2、所有节点Ubuntu20.04上安装docker-ce指定版本：19.03.15，具体详细安装文档参考官网：https://docs.docker.com/engine/install/ubuntu/

apt update
sudo apt-get install     apt-transport-https     ca-certificates     curl     gnupg     lsb-release -y
echo   "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-cache madison docker-ce
apt-get install docker-ce=5:19.03.15~3-0~ubuntu-focal docker-ce-cli=5:19.03.15~3-0~ubuntu-focal containerd.io -y
docker info/version

2.3、所有节点Ubuntu20.04上设置时间同步和时区一致

root@ubuntu:~# apt install chrony -y

root@ubuntu:~# tzselect 
Please identify a location so that time zone rules can be set correctly.
Please select a continent, ocean, "coord", or "TZ".
1) Africa                                 5) Atlantic Ocean                             9) Pacific Ocean
2) Americas                                 6) Australia                            10) coord - I want to use geographical coordinates.
3) Antarctica                                 7) Europe                                11) TZ - I want to specify the timezone using the Posix TZ format.
4) Asia                                     8) Indian Ocean
#? 4
Please select a country whose clocks agree with yours.
1) Afghanistan           8) Cambodia            15) Indonesia          22) Korea (North)        29) Malaysia          36) Philippines        43) Taiwan              50) Yemen
2) Armenia           9) China            16) Iran              23) Korea (South)        30) Mongolia          37) Qatar            44) Tajikistan
3) Azerbaijan          10) Cyprus            17) Iraq              24) Kuwait        31) Myanmar (Burma)      38) Russia            45) Thailand
4) Bahrain          11) East Timor        18) Israel              25) Kyrgyzstan        32) Nepal          39) Saudi Arabia        46) Turkmenistan
5) Bangladesh          12) Georgia            19) Japan              26) Laos            33) Oman          40) Singapore            47) United Arab Emirates
6) Bhutan          13) Hong Kong            20) Jordan              27) Lebanon        34) Pakistan          41) Sri Lanka            48) Uzbekistan
7) Brunei          14) India            21) Kazakhstan          28) Macau            35) Palestine          42) Syria            49) Vietnam
#? 9
Please select one of the following timezones.
1) Beijing Time
2) Xinjiang Time
#? 1

The following information has been given:

    China
    Beijing Time

Therefore TZ='Asia/Shanghai' will be used.
Selected time is now:    Mon Sep 20 16:46:29 CST 2021.
Universal Time is now:    Mon Sep 20 08:46:29 UTC 2021.
Is the above information OK?
1) Yes
2) No
#? 1

You can make this change permanent for yourself by appending the line
    TZ='Asia/Shanghai'; export TZ
to the file '.profile' in your home directory; then log out and log in again.

Here is that TZ value again, this time on standard output so that you
can use the /usr/bin/tzselect command in shell scripts:
Asia/Shanghai
root@ubuntu:~# 
root@ubuntu:~# ln -svf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime 
'/etc/localtime' -> '/usr/share/zoneinfo/Asia/Shanghai'
root@ubuntu:~# date
Mon 20 Sep 2021 04:47:27 PM CST
root@ubuntu:~# 
root@ubuntu:~# 
root@ubuntu:~# timedatectl
               Local time: Mon 2021-09-20 16:48:10 CST
           Universal time: Mon 2021-09-20 08:48:10 UTC
                 RTC time: Mon 2021-09-20 08:48:10    
                Time zone: Asia/Shanghai (CST, +0800) 
System clock synchronized: yes                        
              NTP service: active                     
          RTC in local TZ: no                         
root@ubuntu:~# date
Mon 20 Sep 2021 04:48:23 PM CST
root@ubuntu:~# 

 2.4、Harbor节点（192.168.11.140）上安装docker-compose，创建harbor.magedu.net域名的证书并安装Harbor

创建证书：

openssl genrsa -out harbor-ca.key
openssl req -x509 -new -nodes -key harbor-ca.key  -subj "/CN=harbor.magedu.net" -days 7120 -out harbor-ca.crt 

安装Harbor：

cd /usr/local/bin/
mv docker-compose-Linux-x86_64_1.24.1 docker-compose
chmod +x docker-compose 
docker-compose version
tar -zxvf harbor-offline-installer-v2.3.2.tgz 
mv harbor /usr/local/
cd /usr/local/harbor
cp harbor.yml.tmpl harbor.yml
vim harbor.yml              相关配置文件修改如下图：
./install.sh 

 登陆并验证安装后harbor并创建一个baseimages项目(如果重启了harbor服务器，请使用如下命令启动# docker-compose start )

 2.5、deploy客户端配置docker加载证书并上传一个busybox测试镜像——并载所有几点进行下面的配置（所有节点docker都加载证书）

mkdir  -p /etc/docker/certs.d/harbor.magedu.net
cd /etc/docker/certs.d/harbor.magedu.net
scp 192.168.11.140:/usr/local/harbor/cert/harbor-ca.crt /etc/docker/certs.d/harbor.magedu.net          #  重启docker
注意点：添加域名和IP地址解析：echo '192.168.11.140 harbor.magedu.net' >> /etc/hosts
root@deploy:/etc/docker/certs.d/harbor.magedu.net# docker login harbor.magedu.net　　　　　　　　　　　　　　# 登陆上传镜像测试验证
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@deploy:/etc/docker/certs.d/harbor.magedu.net# docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
24fb2886d6f6: Pull complete 
Digest: sha256:52f73a0a43a16cf37cd0720c90887ce972fe60ee06a687ee71fb93a7ca601df7
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest
root@deploy:/etc/docker/certs.d/harbor.magedu.net# 
root@deploy:/etc/docker/certs.d/harbor.magedu.net# docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
busybox             latest              16ea53ea7c65        6 days ago          1.24MB
root@deploy:/etc/docker/certs.d/harbor.magedu.net# docker tag busybox:latest harbor.magedu.net/baseimages/busybox:latest
root@deploy:/etc/docker/certs.d/harbor.magedu.net# docker images
REPOSITORY                             TAG                 IMAGE ID            CREATED             SIZE
busybox                                latest              16ea53ea7c65        6 days ago          1.24MB
harbor.magedu.net/baseimages/busybox   latest              16ea53ea7c65        6 days ago          1.24MB
root@deploy:/etc/docker/certs.d/harbor.magedu.net# docker push harbor.magedu.net/baseimages/busybox:latest
The push refers to repository [harbor.magedu.net/baseimages/busybox]
cfd97936a580: Pushed 
latest: digest: sha256:febcf61cd6e1ac9628f6ac14fa40836d16f3c6ddef3b303ff0321606e55ddd0b size: 527
root@deploy:/etc/docker/certs.d/harbor.magedu.net# 

 2.6、部署机上（192.168.11.111）下载kubeasz脚本并下载相关安装安装文件

至于什么是kubeasz，直接去GitHub上看吧，具体连接是：https://github.com/easzlab/kubeasz ； 下面直接进入主题吧

export release=3.1.0　　　　　　　　　　　　　　　　　　　　　　　# 下载工具脚本ezdown，举例使用kubeasz版本3.1.0
curl -C- -fLO --retry 3 https://github.com/easzlab/kubeasz/releases/download/${release}/ezdown
chmod +x ezdown

修改ezdown配置文件的16行：指定使用相关版本的docker：

 下载项目源码、二进制及离线镜像：./ezdown -D，具体的下载过程如下：

root@deploy:~# ./ezdown --help
./ezdown: illegal option -- -
Usage: ezdown [options] [args]
  option: -{DdekSz}
    -C         stop&clean all local containers
    -D         download all into "/etc/kubeasz"
    -P         download system packages for offline installing
    -R         download Registry(harbor) offline installer
    -S         start kubeasz in a container
    -d <ver>   set docker-ce version, default "19.03.15"
    -e <ver>   set kubeasz-ext-bin version, default "0.9.4"
    -k <ver>   set kubeasz-k8s-bin version, default "v1.21.0"
    -m <str>   set docker registry mirrors, default "CN"(used in Mainland,China)
    -p <ver>   set kubeasz-sys-pkg version, default "0.4.1"
    -z <ver>   set kubeasz version, default "3.1.0"
root@deploy:~# ./ezdown -D
2021-09-20 17:52:59 INFO Action begin: download_all
2021-09-20 17:52:59 INFO downloading docker binaries, version 19.03.15
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 59.5M  100 59.5M    0     0  5408k      0  0:00:11  0:00:11 --:--:-- 5969k
2021-09-20 17:53:12 WARN docker is already running.
2021-09-20 17:53:12 INFO downloading kubeasz: 3.1.0
2021-09-20 17:53:12 DEBUG  run a temporary container
Unable to find image 'easzlab/kubeasz:3.1.0' locally
3.1.0: Pulling from easzlab/kubeasz
540db60ca938: Pull complete 
d037ddac5dde: Pull complete 
05d0edf52df4: Pull complete 
54d94e388fb8: Pull complete 
b25964b87dc1: Pull complete 
aedfadb13329: Pull complete 
7f3f0ac4a403: Pull complete 
Digest: sha256:b31e3ed9624fc15a6da18445a17ece1e01e6316b7fdaa096559fcd2f7ab0ae13
Status: Downloaded newer image for easzlab/kubeasz:3.1.0
440c7c757c7c8a8ab3473d196621bb8d28796c470fc1153a1098ebae83f7b09e
2021-09-20 17:53:48 DEBUG cp kubeasz code from the temporary container
2021-09-20 17:53:48 DEBUG stop&remove temporary container
temp_easz
2021-09-20 17:53:48 INFO downloading kubernetes: v1.21.0 binaries
v1.21.0: Pulling from easzlab/kubeasz-k8s-bin
532819f3e44c: Pull complete 
02d2aa9e7900: Pull complete 
Digest: sha256:eaa667fa41a407eb547bd639dd70aceb85d39f1cfb55d20aabcd845dea7c4e80
Status: Downloaded newer image for easzlab/kubeasz-k8s-bin:v1.21.0
docker.io/easzlab/kubeasz-k8s-bin:v1.21.0
2021-09-20 17:54:58 DEBUG run a temporary container
59481d2763c58a49e48f8e8e2a9e986001aabe9abfe5de7e5429e2609691cf54
2021-09-20 17:54:59 DEBUG cp k8s binaries
2021-09-20 17:55:01 DEBUG stop&remove temporary container
temp_k8s_bin
2021-09-20 17:55:01 INFO downloading extral binaries kubeasz-ext-bin:0.9.4
0.9.4: Pulling from easzlab/kubeasz-ext-bin
532819f3e44c: Already exists 
f8df0a3f2b36: Pull complete 
d69f8f462012: Pull complete 
1085086eb00a: Pull complete 
af48509c9825: Pull complete 
Digest: sha256:627a060a42260065d857b64df858f6a0f3b773563bce63bc87f74531ccd701d3
Status: Downloaded newer image for easzlab/kubeasz-ext-bin:0.9.4
docker.io/easzlab/kubeasz-ext-bin:0.9.4
2021-09-20 17:56:27 DEBUG run a temporary container
26a48514ab1b2fe7360da7f13245fcc3e1e8ac02e6edd0513d38d2352543ec94
2021-09-20 17:56:28 DEBUG cp extral binaries
2021-09-20 17:56:29 DEBUG stop&remove temporary container
temp_ext_bin
2021-09-20 17:56:30 INFO downloading offline images
v3.15.3: Pulling from calico/cni
1ff8efc68ede: Pull complete 
dbf74493f8ac: Pull complete 
6a02335af7ae: Pull complete 
a9d90ecd95cb: Pull complete 
269efe44f16b: Pull complete 
d94997f3700d: Pull complete 
8c7602656f2e: Pull complete 
34fcbf8be9e7: Pull complete 
Digest: sha256:519e5c74c3c801ee337ca49b95b47153e01fd02b7d2797c601aeda48dc6367ff
Status: Downloaded newer image for calico/cni:v3.15.3
docker.io/calico/cni:v3.15.3
v3.15.3: Pulling from calico/pod2daemon-flexvol
3fb48f9dffa9: Pull complete 
a820112abeeb: Pull complete 
10d8d066ec17: Pull complete 
217b4fd6d612: Pull complete 
06c30d5e085d: Pull complete 
ca0fd3d60e05: Pull complete 
a1c12287b32b: Pull complete 
Digest: sha256:cec7a31b08ab5f9b1ed14053b91fd08be83f58ddba0577e9dabd8b150a51233f
Status: Downloaded newer image for calico/pod2daemon-flexvol:v3.15.3
docker.io/calico/pod2daemon-flexvol:v3.15.3
v3.15.3: Pulling from calico/kube-controllers
22d9887128f5: Pull complete 
8824e2076f71: Pull complete 
8b26373ef5b7: Pull complete 
Digest: sha256:b88f0923b02090efcd13a2750da781622b6936df72d6c19885fcb2939647247b
Status: Downloaded newer image for calico/kube-controllers:v3.15.3
docker.io/calico/kube-controllers:v3.15.3
v3.15.3: Pulling from calico/node
0a63a759fe25: Pull complete 
9d6c79b335fa: Pull complete 
0c7b599aaa59: Pull complete 
641ec2b3d585: Pull complete 
682bbf5a5743: Pull complete 
b7275bfed8bc: Pull complete 
f9c5a243b960: Pull complete 
eafb01686242: Pull complete 
3a8a3042bbc5: Pull complete 
e4fa8d582cf2: Pull complete 
6ff16d4df057: Pull complete 
8b0afdee71db: Pull complete 
aa370255d6dd: Pull complete 
Digest: sha256:1d674438fd05bd63162d9c7b732d51ed201ee7f6331458074e3639f4437e34b1
Status: Downloaded newer image for calico/node:v3.15.3
docker.io/calico/node:v3.15.3
1.8.0: Pulling from coredns/coredns
c6568d217a00: Pull complete 
5984b6d55edf: Pull complete 
Digest: sha256:cc8fb77bc2a0541949d1d9320a641b82fd392b0d3d8145469ca4709ae769980e
Status: Downloaded newer image for coredns/coredns:1.8.0
docker.io/coredns/coredns:1.8.0
1.17.0: Pulling from easzlab/k8s-dns-node-cache
e5a8c1ed6cf1: Pull complete 
f275df365c13: Pull complete 
6a2802bb94f4: Pull complete 
cb3853c52da4: Pull complete 
db342cbe4b1c: Pull complete 
9a72dd095a53: Pull complete 
a79e969cb748: Pull complete 
02edbb2551d4: Pull complete 
Digest: sha256:4b9288fa72c3ec3e573f61cc871b6fe4dc158b1dc3ea56f9ce528548f4cabe3d
Status: Downloaded newer image for easzlab/k8s-dns-node-cache:1.17.0
docker.io/easzlab/k8s-dns-node-cache:1.17.0
v2.2.0: Pulling from kubernetesui/dashboard
7cccffac5ec6: Pull complete 
7f06704bb864: Pull complete 
Digest: sha256:148991563e374c83b75e8c51bca75f512d4f006ddc791e96a91f1c7420b60bd9
Status: Downloaded newer image for kubernetesui/dashboard:v2.2.0
docker.io/kubernetesui/dashboard:v2.2.0
v0.13.0-amd64: Pulling from easzlab/flannel
df20fa9351a1: Pull complete 
0fbfec51320e: Pull complete 
734a6c0a0c59: Pull complete 
41745b624d5f: Pull complete 
feca50c5fe05: Pull complete 
071b96dd834b: Pull complete 
5154c0aa012a: Pull complete 
Digest: sha256:34860ea294a018d392e61936f19a7862d5e92039d196cac9176da14b2bbd0fe3
Status: Downloaded newer image for easzlab/flannel:v0.13.0-amd64
docker.io/easzlab/flannel:v0.13.0-amd64
v1.0.6: Pulling from kubernetesui/metrics-scraper
47a33a630fb7: Pull complete 
62498b3018cb: Pull complete 
Digest: sha256:1f977343873ed0e2efd4916a6b2f3075f310ff6fe42ee098f54fc58aa7a28ab7
Status: Downloaded newer image for kubernetesui/metrics-scraper:v1.0.6
docker.io/kubernetesui/metrics-scraper:v1.0.6
v0.3.6: Pulling from mirrorgooglecontainers/metrics-server-amd64
e8d8785a314f: Pull complete 
b2f4b24bed0d: Pull complete 
Digest: sha256:c9c4e95068b51d6b33a9dccc61875df07dc650abbf4ac1a19d58b4628f89288b
Status: Downloaded newer image for mirrorgooglecontainers/metrics-server-amd64:v0.3.6
docker.io/mirrorgooglecontainers/metrics-server-amd64:v0.3.6
3.4.1: Pulling from easzlab/pause-amd64
fac425775c9d: Pull complete 
Digest: sha256:9ec1e780f5c0196af7b28f135ffc0533eddcb0a54a0ba8b32943303ce76fe70d
Status: Downloaded newer image for easzlab/pause-amd64:3.4.1
docker.io/easzlab/pause-amd64:3.4.1
v4.0.1: Pulling from easzlab/nfs-subdir-external-provisioner
9e4425256ce4: Pull complete 
f32b919eb4ab: Pull complete 
Digest: sha256:62a05dd29623964c4ff7b591d1ffefda0c2e13cfdc6f1253223c9d718652993f
Status: Downloaded newer image for easzlab/nfs-subdir-external-provisioner:v4.0.1
docker.io/easzlab/nfs-subdir-external-provisioner:v4.0.1
3.1.0: Pulling from easzlab/kubeasz
Digest: sha256:b31e3ed9624fc15a6da18445a17ece1e01e6316b7fdaa096559fcd2f7ab0ae13
Status: Image is up to date for easzlab/kubeasz:3.1.0
docker.io/easzlab/kubeasz:3.1.0
2021-09-20 18:01:48 INFO Action successed: download_all
root@deploy:~# 

下载好后，相关文件会在：/etc/kubeasz/目录下，这里穿插一步：部署集群到相关节点的ssh免密登陆和部署机器上的ansble的安装，下面贴一下主要步骤：

# 安装ansible：
apt install ansible -y
# 或者这样安装
apt install python3-pip  
pip install ansible
# 同步密钥或用杰哥上课用的脚本
ansible -i hosts -m authorized_key -a "user=root state=present key='{{ lookup('file', '/root/.ssh/id_rsa.pub') }}'" all

 进入相关目录修改配置文件：

 下面是/etc/kubeasz/clusters/k8s-01/hosts配置文件全部内容：

root@deploy:/etc/kubeasz/clusters/k8s-01# cat hosts 
# 'etcd' cluster should have odd member(s) (1,3,5,...)
[etcd]
192.168.11.120
#192.168.1.2
#192.168.1.3

# master node(s)
[kube_master]
192.168.11.120
#192.168.1.2

# work node(s)
[kube_node]
192.168.11.130
#192.168.1.4

# [optional] harbor server, a private docker registry
# 'NEW_INSTALL': 'true' to install a harbor server; 'false' to integrate with existed one
[harbor]
#192.168.1.8 NEW_INSTALL=false

# [optional] loadbalance for accessing k8s from outside
[ex_lb]
#192.168.1.6 LB_ROLE=backup EX_APISERVER_VIP=192.168.1.250 EX_APISERVER_PORT=8443
#192.168.1.7 LB_ROLE=master EX_APISERVER_VIP=192.168.1.250 EX_APISERVER_PORT=8443

# [optional] ntp server for the cluster
[chrony]
#192.168.1.1

[all:vars]
# --------- Main Variables ---------------
# Secure port for apiservers
SECURE_PORT="6443"

# Cluster container-runtime supported: docker, containerd
CONTAINER_RUNTIME="docker"

# Network plugins supported: calico, flannel, kube-router, cilium, kube-ovn
CLUSTER_NETWORK="calico"

# Service proxy mode of kube-proxy: 'iptables' or 'ipvs'
PROXY_MODE="ipvs"

# K8S Service CIDR, not overlap with node(host) networking
SERVICE_CIDR="10.100.0.0/16"

# Cluster CIDR (Pod CIDR), not overlap with node(host) networking
CLUSTER_CIDR="172.200.0.0/16"

# NodePort Range
NODE_PORT_RANGE="30000-32767"

# Cluster DNS Domain
CLUSTER_DNS_DOMAIN="magedu.local"

# -------- Additional Variables (don't change the default value right now) ---
# Binaries Directory
bin_dir="/opt/kube/bin"

# Deploy Directory (kubeasz workspace)
base_dir="/etc/kubeasz"

# Directory for a specific cluster
cluster_dir="{{ base_dir }}/clusters/k8s-01"

# CA and other components cert/key Directory
ca_dir="/etc/kubernetes/ssl"
root@deploy:/etc/kubeasz/clusters/k8s-01# 

主要调整如下：只保留一个etc、master和node节点，pod和service的网络地址段，网络类型为calico和集群的dns域名

[etcd]
192.168.11.120

[kube_master]
192.168.11.120

[kube_node]
192.168.11.130

# Network plugins supported: calico, flannel, kube-router, cilium, kube-ovn
CLUSTER_NETWORK="calico"
# K8S Service CIDR, not overlap with node(host) networking
SERVICE_CIDR="10.100.0.0/16"

# Cluster CIDR (Pod CIDR), not overlap with node(host) networking
CLUSTER_CIDR="172.200.0.0/16"

# Cluster DNS Domain    #  这个其实不用改，只是个名称
CLUSTER_DNS_DOMAIN="magedu.local"

 下面是/etc/kubeasz/clusters/k8s-01/config.yml配置文件全部内容：

root@deploy:/etc/kubeasz/clusters/k8s-01# cat config.yml 
############################
# prepare
############################
# 可选离线安装系统软件包 (offline|online)
INSTALL_SOURCE: "online"

# 可选进行系统安全加固 github.com/dev-sec/ansible-collection-hardening
OS_HARDEN: false

# 设置时间源服务器【重要：集群内机器时间必须同步】
ntp_servers:
  - "ntp1.aliyun.com"
  - "time1.cloud.tencent.com"
  - "0.cn.pool.ntp.org"

# 设置允许内部时间同步的网络段，比如"10.0.0.0/8"，默认全部允许
local_network: "0.0.0.0/0"


############################
# role:deploy
############################
# default: ca will expire in 100 years
# default: certs issued by the ca will expire in 50 years
CA_EXPIRY: "876000h"
CERT_EXPIRY: "438000h"

# kubeconfig 配置参数
CLUSTER_NAME: "cluster1"
CONTEXT_NAME: "context-{{ CLUSTER_NAME }}"


############################
# role:etcd
############################
# 设置不同的wal目录，可以避免磁盘io竞争，提高性能
ETCD_DATA_DIR: "/var/lib/etcd"
ETCD_WAL_DIR: ""


############################
# role:runtime [containerd,docker]
############################
# ------------------------------------------- containerd
# [.]启用容器仓库镜像
ENABLE_MIRROR_REGISTRY: false

# [containerd]基础容器镜像
SANDBOX_IMAGE: "easzlab/pause-amd64:3.4.1"

# [containerd]容器持久化存储目录
CONTAINERD_STORAGE_DIR: "/var/lib/containerd"

# ------------------------------------------- docker
# [docker]容器存储目录
DOCKER_STORAGE_DIR: "/var/lib/docker"

# [docker]开启Restful API
ENABLE_REMOTE_API: false

# [docker]信任的HTTP仓库
INSECURE_REG: '["127.0.0.1/8"]'


############################
# role:kube-master
############################
# k8s 集群 master 节点证书配置，可以添加多个ip和域名（比如增加公网ip和域名）
MASTER_CERT_HOSTS:
  - "10.1.1.1"
  - "k8s.test.io"
  #- "www.test.com"

# node 节点上 pod 网段掩码长度（决定每个节点最多能分配的pod ip地址）
# 如果flannel 使用 --kube-subnet-mgr 参数，那么它将读取该设置为每个节点分配pod网段
# https://github.com/coreos/flannel/issues/847
NODE_CIDR_LEN: 24


############################
# role:kube-node
############################
# Kubelet 根目录
KUBELET_ROOT_DIR: "/var/lib/kubelet"

# node节点最大pod 数
MAX_PODS: 110

# 配置为kube组件（kubelet,kube-proxy,dockerd等）预留的资源量
# 数值设置详见templates/kubelet-config.yaml.j2
KUBE_RESERVED_ENABLED: "yes"

# k8s 官方不建议草率开启 system-reserved, 除非你基于长期监控，了解系统的资源占用状况；
# 并且随着系统运行时间，需要适当增加资源预留，数值设置详见templates/kubelet-config.yaml.j2
# 系统预留设置基于 4c/8g 虚机，最小化安装系统服务，如果使用高性能物理机可以适当增加预留
# 另外，集群安装时候apiserver等资源占用会短时较大，建议至少预留1g内存
SYS_RESERVED_ENABLED: "no"

# haproxy balance mode
BALANCE_ALG: "roundrobin"


############################
# role:network [flannel,calico,cilium,kube-ovn,kube-router]
############################
# ------------------------------------------- flannel
# [flannel]设置flannel 后端"host-gw","vxlan"等
FLANNEL_BACKEND: "vxlan"
DIRECT_ROUTING: false

# [flannel] flanneld_image: "quay.io/coreos/flannel:v0.10.0-amd64"
flannelVer: "v0.13.0-amd64"
flanneld_image: "easzlab/flannel:{{ flannelVer }}"

# [flannel]离线镜像tar包
flannel_offline: "flannel_{{ flannelVer }}.tar"

# ------------------------------------------- calico
# [calico]设置 CALICO_IPV4POOL_IPIP=“off”,可以提高网络性能，条件限制详见 docs/setup/calico.md
CALICO_IPV4POOL_IPIP: "Always"

# [calico]设置 calico-node使用的host IP，bgp邻居通过该地址建立，可手工指定也可以自动发现
IP_AUTODETECTION_METHOD: "can-reach={{ groups['kube_master'][0] }}"

# [calico]设置calico 网络 backend: brid, vxlan, none
CALICO_NETWORKING_BACKEND: "brid"

# [calico]更新支持calico 版本: [v3.3.x] [v3.4.x] [v3.8.x] [v3.15.x]
calico_ver: "v3.15.3"

# [calico]calico 主版本
calico_ver_main: "{{ calico_ver.split('.')[0] }}.{{ calico_ver.split('.')[1] }}"

# [calico]离线镜像tar包
calico_offline: "calico_{{ calico_ver }}.tar"

# ------------------------------------------- cilium
# [cilium]CILIUM_ETCD_OPERATOR 创建的 etcd 集群节点数 1,3,5,7...
ETCD_CLUSTER_SIZE: 1

# [cilium]镜像版本
cilium_ver: "v1.4.1"

# [cilium]离线镜像tar包
cilium_offline: "cilium_{{ cilium_ver }}.tar"

# ------------------------------------------- kube-ovn
# [kube-ovn]选择 OVN DB and OVN Control Plane 节点，默认为第一个master节点
OVN_DB_NODE: "{{ groups['kube_master'][0] }}"

# [kube-ovn]离线镜像tar包
kube_ovn_ver: "v1.5.3"
kube_ovn_offline: "kube_ovn_{{ kube_ovn_ver }}.tar"

# ------------------------------------------- kube-router
# [kube-router]公有云上存在限制，一般需要始终开启 ipinip；自有环境可以设置为 "subnet"
OVERLAY_TYPE: "full"

# [kube-router]NetworkPolicy 支持开关
FIREWALL_ENABLE: "true"

# [kube-router]kube-router 镜像版本
kube_router_ver: "v0.3.1"
busybox_ver: "1.28.4"

# [kube-router]kube-router 离线镜像tar包
kuberouter_offline: "kube-router_{{ kube_router_ver }}.tar"
busybox_offline: "busybox_{{ busybox_ver }}.tar"


############################
# role:cluster-addon
############################
# coredns 自动安装
dns_install: "no"
corednsVer: "1.8.0"
ENABLE_LOCAL_DNS_CACHE: false
dnsNodeCacheVer: "1.17.0"
# 设置 local dns cache 地址
LOCAL_DNS_CACHE: "169.254.20.10"

# metric server 自动安装
metricsserver_install: "no"
metricsVer: "v0.3.6"

# dashboard 自动安装
dashboard_install: "no"
dashboardVer: "v2.2.0"
dashboardMetricsScraperVer: "v1.0.6"

# ingress 自动安装
ingress_install: "no"
ingress_backend: "traefik"
traefik_chart_ver: "9.12.3"

# prometheus 自动安装
prom_install: "no"
prom_namespace: "monitor"
prom_chart_ver: "12.10.6"

# nfs-provisioner 自动安装
nfs_provisioner_install: "no"
nfs_provisioner_namespace: "kube-system"
nfs_provisioner_ver: "v4.0.1"
nfs_storage_class: "managed-nfs-storage"
nfs_server: "192.168.1.10"
nfs_path: "/data/nfs"

############################
# role:harbor
############################
# harbor version，完整版本号
HARBOR_VER: "v2.1.3"
HARBOR_DOMAIN: "harbor.yourdomain.com"
HARBOR_TLS_PORT: 8443

# if set 'false', you need to put certs named harbor.pem and harbor-key.pem in directory 'down'
HARBOR_SELF_SIGNED_CERT: true

# install extra component
HARBOR_WITH_NOTARY: false
HARBOR_WITH_TRIVY: false
HARBOR_WITH_CLAIR: false
HARBOR_WITH_CHARTMUSEUM: true
root@deploy:/etc/kubeasz/clusters/k8s-01#

主要修改是：不自动安装coredns、dashboard、ingress及prometheus

# coredns 自动安装
dns_install: "no"

# metric server 自动安装
metricsserver_install: "no"

# dashboard 自动安装
dashboard_install: "no"

# ingress 自动安装
ingress_install: "no"

下面是进入到/etc/kubeasz目录下，执行如下命令：如果没有大问题，就OK了

./ezctl setup k8s-01 01　　　　# 01-创建证书和安装准备
./ezctl setup k8s-01 02　　　　# 02-安装etcd集群
# ./ezctl setup k8s-01 03　　　# 由于我更喜欢手动安装docker，我就手动安装了：特别讨厌改变docker默认的安装的路径
./ezctl setup k8s-01 04　　　　# 04-安装master节点
./ezctl setup k8s-01 05　　　　# 05-安装node节点
./ezctl setup k8s-01 06　　　　# 06-安装集群网络

过程前后相关镜像的上传情况：

root@deploy:~# docker tag k8s.gcr.io/coredns/coredns:v1.8.3  harbor.magedu.net/baseimages/coredns:v1.8.3
root@deploy:~# docker push harbor.magedu.net/baseimages/coredns:v1.8.3
The push refers to repository [harbor.magedu.net/baseimages/coredns]
85c53e1bd74e: Pushed 
225df95e717c: Pushed 
v1.8.3: digest: sha256:db4f1c57978d7372b50f416d1058beb60cebff9a0d5b8bee02bfe70302e1cb2f size: 739
root@deploy:~# 

root@node1:~# docker images
REPOSITORY                             TAG                 IMAGE ID            CREATED             SIZE
harbor.magedu.net/baseimages/busybox   latest              16ea53ea7c65        6 days ago          1.24MB
kubernetesui/dashboard                 v2.3.1              e1482a24335a        3 months ago        220MB
harbor.magedu.net/baseimages/coredns   v1.8.3              3885a5b7f138        6 months ago        43.5MB
easzlab/pause-amd64                    3.4.1               0f8457a4c2ec        8 months ago        683kB
kubernetesui/metrics-scraper           v1.0.6              48d79e554db6        11 months ago       34.5MB
calico/node                            v3.15.3             d45bf977dfbf        12 months ago       262MB
calico/pod2daemon-flexvol              v3.15.3             963564fb95ed        12 months ago       22.8MB
calico/cni                             v3.15.3             ca5564c06ea0        12 months ago       110MB
calico/kube-controllers                v3.15.3             0cb2976cbb7d        12 months ago       52.9MB
root@node1:~# docker tag kubernetesui/metrics-scraper:v1.0.6 harbor.magedu.net/baseimages/metrics-scraper:v1.0.6
root@node1:~# docker tag kubernetesui/dashboard:v2.3.1 harbor.magedu.net/baseimages/dashboard:v2.3.1
root@node1:~# docker push harbor.magedu.net/baseimages/dashboard:v2.3.1
The push refers to repository [harbor.magedu.net/baseimages/dashboard]
c94f86b1c637: Pushed 
8ca79a390046: Pushed 
v2.3.1: digest: sha256:e5848489963be532ec39d454ce509f2300ed8d3470bdfb8419be5d3a982bb09a size: 736
root@node1:~# 
root@node1:~# docker push harbor.magedu.net/baseimages/metrics-scraper:v1.0.6
The push refers to repository [harbor.magedu.net/baseimages/metrics-scraper]
a652c34ae13a: Pushed 
6de384dd3099: Pushed 
v1.0.6: digest: sha256:c09adb7f46e1a9b5b0bde058713c5cb47e9e7f647d38a37027cd94ef558f0612 size: 736
root@node1:~# 

2.7、安装成功后相关验证：

node节点上验证calico网络：

root@node1:~# /opt/kube/bin/calicoctl node status
Calico process is running.

IPv4 BGP status
+----------------+-------------------+-------+----------+-------------+
|  PEER ADDRESS  |     PEER TYPE     | STATE |  SINCE   |    INFO     |
+----------------+-------------------+-------+----------+-------------+
| 192.168.11.120 | node-to-node mesh | up    | 11:35:58 | Established |
+----------------+-------------------+-------+----------+-------------+

IPv6 BGP status
No IPv6 peers found.

root@node1:~#

master节点上验证etcd和节点情况：

root@master1:~# ETCD_API=3 /opt/kube/bin/etcdctl --endpoints=https://192.168.11.120:2379 --cacert=/etc/kubernetes/ssl/ca.pem --cert=/etc/kubernetes/ssl/etcd.pem --key=/etc/kubernetes/ssl/etcd-key.pem  endpoint status
https://192.168.11.120:2379, 6a03caad54fdc2e7, 3.4.13, 3.2 MB, true, false, 5, 23783, 23783, 
root@master1:~# ETCD_API=3 /opt/kube/bin/etcdctl --endpoints=https://192.168.11.120:2379 --cacert=/etc/kubernetes/ssl/ca.pem --cert=/etc/kubernetes/ssl/etcd.pem --key=/etc/kubernetes/ssl/etcd-key.pem  endpoint health
https://192.168.11.120:2379 is healthy: successfully committed proposal: took = 5.333748ms
root@master1:~# 
root@master1:~# 
root@master1:~# /opt/kube/bin/kubectl get nodes
NAME             STATUS                     ROLES    AGE   VERSION
192.168.11.120   Ready,SchedulingDisabled   master   44h   v1.21.0
192.168.11.130   Ready                      node     44h   v1.21.0
root@master1:~# 

 创建一个pod测试网络：没有DNS解析，但是可以直接使用IP地址访问

  2.8、安装coredns：直接使用杰哥上课提供的yml文件——里面的相关域名、监控端口类型都已经改好了，直接：/opt/kube/bin/kubectl apply -f coredns-n56.yaml

再次创建pod验证：ping百度

 查看metrics情况：

 2.9、安装dashboard并创建相关账号——使用token登陆：直接使用杰哥上课提供的yml文件

 主要步骤如下：

/opt/kube/bin/kubectl apply -f dashboard-v2.3.1.yaml
/opt/kube/bin/kubectl get pods -A -o wide       #  查看并确认dashboardpod运行状态中
/opt/kube/bin/kubectl apply -f admin-user.yml
/opt/kube/bin/kubectl get secret -A |grep admin
/opt/kube/bin/kubectl describe secret admin-user-token-kth6z -n kubernetes-dashboard

dashboard的yaml文件内容，当然你也可以直接官网下载：

root@master1:~# cat dashboard-v2.3.1.yaml 
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: v1
kind: Namespace
metadata:
  name: kubernetes-dashboard

---

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30002
  selector:
    k8s-app: kubernetes-dashboard

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kubernetes-dashboard
type: Opaque

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kubernetes-dashboard
type: Opaque
data:
  csrf: ""

---

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kubernetes-dashboard
type: Opaque

---

kind: ConfigMap
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kubernetes-dashboard

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
        - name: kubernetes-dashboard
          image: harbor.magedu.net/baseimages/dashboard:v2.3.1 
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

---

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: dashboard-metrics-scraper

---

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: dashboard-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: dashboard-metrics-scraper
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
      containers:
        - name: dashboard-metrics-scraper
          image: harbor.magedu.net/baseimages/metrics-scraper:v1.0.6
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
      volumes:
        - name: tmp-volume
          emptyDir: {}
root@master1:~# 

admin-user.yml的内容：

root@master1:~# cat admin-user.yml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

root@master1:~# 

获取token登陆：

 

 

 

 先这样吧，后面的添加节点等，敬请期待……