环境的准备
由于考虑网络的问题,在公有云平台上申请了一台新加坡地域的Ubuntu机器,由于看到网上kubeadm安装都是使用Ubuntu 16.04 64bit版本,所以也申请了两台Ubuntu 16.04 64bit版本
备注:
在kubeadm支持的Ubuntu 16.04+, CentOS 7 or HypriotOS v1.0.1+三种操作系统
安装Docker
(1) 更新apt-get的源
# curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add
OK
# echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list
# apt-get update
(2) 安装Docker
# apt-get install docker-engine
# docker version
Client:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 22:00:43 2016
OS/Arch: linux/amd64
Server:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 22:00:43 2016
OS/Arch: linux/amd64
安装kubernetes基础组件
安装kubelet kubeadm kubectl kubernetes-cni
# apt-get install -y kubelet kubeadm kubectl kubernetes-cni
安装kubernetes Master节点
# 设置网络的分配地址段为:192.168.0.0/16,部署master组件
# kubeadm init --pod-network-cidr=192.168.0.0/16
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[init] Using Kubernetes version: v1.7.0
[init] Using Authorization modes: [Node RBAC]
[preflight] Running pre-flight checks
[preflight] WARNING: docker version is greater than the most recently validated version. Docker version: 17.06.0-ce. Max validated version: 1.12
[certificates] Generated CA certificate and key.
[certificates] Generated API server certificate and key.
[certificates] API Server serving cert is signed for DNS names [VM-133-17-ubuntu kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 10.144.133.17]
[certificates] Generated API server kubelet client certificate and key.
[certificates] Generated service account token signing key and public key.
[certificates] Generated front-proxy CA certificate and key.
[certificates] Generated front-proxy client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"
[apiclient] Created API client, waiting for the control plane to become ready
[apiclient] All control plane components are healthy after 79.000826 seconds
[token] Using token: 262500.83d33677d341d692
[apiconfig] Created RBAC rules
[addons] Applied essential addon: kube-proxy
[addons] Applied essential addon: kube-dns
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run (as a regular user):
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
http://kubernetes.io/docs/admin/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join --token 262500.83d33677d341d692 10.144.133.17:6443
kubeadmin命令会自动
- 系统状态检查
- 生成token
- 生成自签名CA和可独断证书
- 生成kubeconfig用于kubelet连接API server
- 为Master组件生成Static Pod manifests,并放到
/etc/kubernetes/manifests
目录中 - 配置RBAC并设置Master node只运行控制平面组件
- 创建附加服务,比如kube-proxy和kube-dns
配置网络
在安装完Master节点后,查看节点信息会发现节点的状态为noready。查看noready的原因发现是由于cni插件没有配置。其实这是由于还没有配置网络。可以配置多种网络,这里作者选用最长远的fannel网络进行配置。
kubectl create -f https://github.com/coreos/flannel/raw/master/Documentation/kube-flannel-rbac.yml
kubectl create -f https://github.com/coreos/flannel/raw/master/Documentation/kube-flannel.yml
至此master节点已经安装完成,master节点已经处于ready状态。
# kubectl get nodes -s https://10.144.133.17:6443 --kubeconfig=/etc/kubernetes/admin.conf
NAME STATUS AGE VERSION
vm-133-17-ubuntu Ready 3h v1.7.0
添加kubernetes slave节点
kubeadmin正常的流程是:
# kubeadm join --token 262500.83d33677d341d692 10.144.133.17:6443
[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[preflight] Running pre-flight checks
[preflight] WARNING: docker version is greater than the most recently validated version. Docker version: 17.06.0-ce. Max validated version: 1.12
[discovery] Trying to connect to API Server "10.144.133.17:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.144.133.17:6443"
[discovery] Cluster info signature and contents are valid, will use API Server "https://10.144.133.17:6443"
[discovery] Successfully established connection with API Server "10.144.133.17:6443"
[bootstrap] Detected server version: v1.7.0
[bootstrap] The server supports the Certificates API (certificates.k8s.io/v1beta1)
[csr] Created API client to obtain unique certificate for this node, generating keys and certificate signing request
[csr] Received signed certificate from the API server, generating KubeConfig...
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
Node join complete:
* Certificate signing request sent to master and response
received.
* Kubelet informed of new secure connection details.
Run 'kubectl get nodes' on the master to see this machine join.
但实际中在添加slave节点中,遇到了v1.7的debug。具体的issue链接kubeadmin #335。
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:controller:bootstrap-signer
namespace: kube-public
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- cluster-info
resources:
- configmaps
verbs:
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:controller:bootstrap-signer
namespace: kube-public
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: system:controller:bootstrap-signer
subjects:
- kind: ServiceAccount
name: bootstrap-signer
namespace: kube-system
自行对应的Yaml的创建操作后,添加可以成功。但是仍然无法在master上查看到对应主机的信息。
对应的修复方式为:
# scp -r ubuntu@10.144.133.17:/etc/kubernetes/admin.conf /etc/kubernetes
# ln -s -f admin.conf kubelet.conf
# service kubelet restart
至此slave节点也安装成功。
其他信息
(1) 指定版本创建
# kubeadm init --kubernetes-version=v1.6.1 --pod-network-cidr=10.244.0.0/16
(2) 获取加入节点的token
# kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION
17a2fb.ce1bd59ce494f837 <forever> <never> authentication,signing The default bootstrap token generated by 'kubeadm init'.
(3)创建全通的网络策略
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector:
ingress:
- {}
参考链接:
https://kubernetes.io/docs/getting-started-guides/kubeadm/
https://kubernetes.io/docs/concepts/cluster-administration/addons/
https://kubernetes.io/docs/concepts/services-networking/network-policies/
https://kubernetes.io/docs/admin/kubeadm/#config-file