准备工作
阿里云买两台 ECS,至少 2 核 4G 要求,用来临时学习,一周时间即可,便宜点的差不多单台一周 30 元左右。
安装 Docker
sudo yum install -y yum-utils
sudo yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install docker-ce docker-ce-cli containerd.io
sudo systemctl start docker
docker -v
加载 Kubernetes 所需镜像
由于网络问题,这里使用阿里云镜像下载,然后利用 docker tag 来重新命名为 Kubernetes 默认镜像名称。
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.19.0
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.19.0
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.19.0
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.19.0
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.4.9-1
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.7.0
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.19.0 k8s.gcr.io/kube-apiserver:v1.19.0
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.19.0 k8s.gcr.io/kube-controller-manager:v1.19.0
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.19.0 k8s.gcr.io/kube-scheduler:v1.19.0
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.19.0 k8s.gcr.io/kube-proxy:v1.19.0
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2 k8s.gcr.io/pause:3.2
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.4.9-1 k8s.gcr.io/etcd:3.4.9-1
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.7.0 k8s.gcr.io/coredns:1.7.0
安装 kubeadm
kubeadm 是 Kubernetes 的一键部署利器,方便用来学习,首先需要在两个节点都安装 kubeadm、kubectl、kubelet 这三个二进制文件,由于上面下载的镜像是 v1.19.0 版本的,所以安装时请务必指定版本号。
# 添加阿里云仓库
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
# Set SELinux in permissive mode (effectively disabling it)
sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
# 这里切记指定版本号
sudo yum install -y kubelet-1.19.0 kubeadm-1.19.0 kubectl-1.19.0 --disableexcludes=kubernetes
sudo systemctl enable --now kubelet
安装成功后,可以查看其版本信息:
[root@kube002 ~]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.0", GitCommit:"e19964183377d0ec2052d1f1fa930c4d7575bd50", GitTreeState:"clean", BuildDate:"2020-08-26T14:28:32Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
[root@kube002 ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.0", GitCommit:"e19964183377d0ec2052d1f1fa930c4d7575bd50", GitTreeState:"clean", BuildDate:"2020-08-26T14:30:33Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}
kubeadm init
使用 kubeadm init 来部署 Master 节点,执行后,会首先做一系列的检查工作 Running pre-flight checks。
-
--kubernetes-version指定版本号 -
--pod-network-cidr指定 Pod 的地址段 -
--service-cidr指定 Service 的地址段
kubeadm init --kubernetes-version=v1.19.0 --pod-network-cidr=10.244.0.0/16 --service-cidr=10.96.0.0/12
[init] Using Kubernetes version: v1.19.0
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
......
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
......
[mark-control-plane] Marking the node kube001 as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node kube001 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
......
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 172.24.251.196:6443 --token gopfsz.5r5pp10ppen86xrv \
--discovery-token-ca-cert-hash sha256:ea1f97ae7ff9364f2efbc4aad55d3e084a511f05ce46e2c730880c723b72ecea
大家可以详细的去看下 kubeadm init 安装时输出的日志,里面有非常多的重要信息。
其中下面这段信息会在部署 Worker 节点时用到。
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
kubeadm join
kubeadm init 会生成一个 token,可以在任意一台安装了 kubeadm、kubelet、kubectl 的机器上执行 kubeadm join。作为 Worker 节点加入 Kubernetes 集群。
kubeadm join 172.24.251.196:6443 --token gopfsz.5r5pp10ppen86xrv \
--discovery-token-ca-cert-hash sha256:ea1f97ae7ff9364f2efbc4aad55d3e084a511f05ce46e2c730880c723b72ecea
> --discovery-token-ca-cert-hash sha256:ea1f97ae7ff9364f2efbc4aad55d3e084a511f05ce46e2c730880c723b72ecea
[preflight] Running pre-flight checks
[WARNING Service-Docker]: docker service is not enabled, please run 'systemctl enable docker.service'
[WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
将 master 节点上的 /etc/kubernetes/admin.conf 文件 copy 至 Worker 节点的相同目录下,然后执行一下命令:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
kube-apiserver.yaml
以上执行完成后,在 Worker 节点运行 kubectl get nodes 时会报错,此时需要去 master 节点修改 apiserver 的参数 --insecure-port,绕过身份认证和鉴权模块,默认值为 0。
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=172.24.251.196
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --insecure-port=8080
kubectl get nodes
kubectl get nodes 获取 Node 节点信息,会发现其状态都处于 NotReady:
[root@kube002 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
kube001 NotReady master 9m13s v1.19.0
kube002 NotReady <none> 4m52s v1.19.0
通过 kubectl describe node kube001 会出现如下的错误信息提示,意思是 CNI 插件还未安装,这里选择安装的网络插件是 Flannel。
KubeletNotReady
runtime network not ready:
NetworkReady=false
reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized
安装 Flannel 网络插件
网络可能存在 DNS 污染,如果访问不了下面的网址,可以前去修改 hosts 配置,执行如下命令即可:
cat >> /etc/hosts <<EOF
199.232.96.133 raw.githubusercontent.com
EOF
由于 Kubernetes 一切皆容器的设计,所以插件的安装也非常方便:
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
[root@kube001 ~]# kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
podsecuritypolicy.policy/psp.flannel.unprivileged created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.apps/kube-flannel-ds created
执行成功后,可在任意节点执行如下命令,看到 Matser 节点和 Worker 节点都处于 Ready 状态了。
[root@kube002 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
kube001 Ready master 15m v1.19.0
kube002 Ready <none> 11m v1.19.0
kubectl taint nodes
由于 Master 节点默认是不允许被调度运行创建 Pod 的,其功能是通过打标签实现的,现在测试的话,可以允许在 Master 上创建 Pod,所以可以执行以下命令去除 Master 节点的污点。
kubectl taint nodes --all node-role.kubernetes.io/master-
安装 Dashboard
上面就已经成功的把 Kubernetes 平台安装成功了,大家可以去查询一些基础命令去执行下,看下详细的输出;下面来安装下 Kubernetes 的 UI 控制界面,首先是把 Dashboard 的 YML 文件下载到本地,因为要对其中的端口映射,和权限信息进行修改。
curl https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml >> /opt/dashboard.yml
具体修改的地方如下,大家可以搜索到替换,第一处是为了能在外网访问 Dashboard UI,所以要将 Service 的 type 修改为 NodePort,然后指定要暴露的端口 nodePort: 30000。(别忘记去给 ECS 添加安全组端口)
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
targetPort: 8443
nodePort: 30000
selector:
k8s-app: kubernetes-dashboard
type: NodePort
第二处是修改默认的用户 kubernetes-dashboard 的角色,这里直接使用 Kubernetes 内置的最大管理员,生产中切记不可这样做,需要更细粒度的去控制每个账号的权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
# k8s 默认的
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
然后通过 kubectl apply -f 创建并运行:
[root@kube002 ~]# kubectl apply -f /opt/dashboard.yml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
获取登录 Token
https://ip:30000 注意要是用 https 访问
每个账号都会生成对应的 token,用来授权登录:
[root@kube002 ~]# kubectl get secret -n kubernetes-dashboard
NAME TYPE DATA AGE
default-token-fl6wt kubernetes.io/service-account-token 3 72s
kubernetes-dashboard-certs Opaque 0 72s
kubernetes-dashboard-csrf Opaque 1 72s
kubernetes-dashboard-key-holder Opaque 2 72s
kubernetes-dashboard-token-qsktp kubernetes.io/service-account-token 3 72s
查看 token:
[root@kube002 ~]# kubectl describe secret kubernetes-dashboard-token-qsktp -n kubernetes-dashboard
Name: kubernetes-dashboard-token-qsktp
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard
kubernetes.io/service-account.uid: 8444c0a6-3712-4c33-a926-6ddee6f6dfad
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1066 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImQ5NlJoSHpjSEwtZ2djVU1Idy05YTh2UFpmTE03bzBsQ29scGJ6cXRxbEUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1xc2t0cCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijg0NDRjMGE2LTM3MTItNGMzMy1hOTI2LTZkZGVlNmY2ZGZhZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.nIp2VQYAup13_klFqgFaBVaekH5WCQ2FSZY4qaP5aggw5UrYlCXfsgMnam_TJd5m5J0ZfOeGOpm3HfhcF3PglZvdZwiR5QAeBolQLFyr38MSavyiZ15z3m7iLHEnaDXFPYc4Zz9lrRJDMrmHDSz7Kpu5Ncjwxcm-tIPsn6ymtHltkkiN88qYMKJ1PplCajE-pOkTJUg5Vybb11ZDTxEkEKWP44T6-WNLNa-jA9RsHFu7p7kXfwnnhGjEE0V0CS3hpXQK4RusWsUh-WFh1zCWc5-Vx8bGOA_UeTcuma2s8do9lt7jx_Bc94JzCadyQtRSbSVpY2Ets4zXl7A29DZtrw
登录成功后的界面:
卸载重建集群
kubeadm reset
rm -rf $HOME/.kube
~ END ~。
网友评论