本文讲述k8s最新版的搭建(v1.15.2)
分如下几个topic步骤:
- 各个节点的基本配置
- master节点的构建
- worker节点的构建
- 安装dashboard
- 安装ingress
- 常见命令
- docker镜像惹的祸
各个节点的基本配置(以下命令每个节点都要执行:Master, Work1, Work2)
IP自己变化下,根据实际情况
systemctl stop firewalld && systemctl disable firewalld cat >>/etc/hosts<<EOF 10.8.1.1 k8s-master1 api.k8s.cn 10.8.1.2 k8s-slave1 10.8.1.3 k8s-slave2 EOF # 新建 iptable 配置修改文件 cat <<EOF > net.iptables.k8s.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF #关闭 swap 分区 sudo swapoff -a #防止开机自动挂载 swap 分区,注释掉配置 sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab #关闭 SELinux sudo setenforce 0 #防止开机启动开启,修改 SELINUX 配置 sudo sed -i s'/SELINUX=enforcing/SELINUX=disabled'/g /etc/selinux/config 配置 iptables sudo mv net.iptables.k8s.conf /etc/sysctl.d/ && sudo sysctl --system #yum增加阿里云针对kubernetes镜像 cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF yum update #安装 wget sudo yum install -y wget #安装docker yum install docker.x86_64 -y #安装k8s工具 yum install -y kubelet kubeadm kubectl #重启服务 systemctl enable kubelet && systemctl start kubelet
然后需要准备docker images(任然需要在master, worker1, worker2节点上分别执行)
vi init-docker-images.sh #然后内容如下 docker pull registry.aliyuncs.com/google_containers/kube-apiserver:v1.15.2 docker pull registry.aliyuncs.com/google_containers/kube-controller-manager:v1.15.2 docker pull registry.aliyuncs.com/google_containers/coredns:1.3.1 docker pull registry.aliyuncs.com/google_containers/kube-proxy:v1.15.2 docker pull registry.aliyuncs.com/google_containers/kube-scheduler:v1.15.2 docker pull registry.aliyuncs.com/google_containers/etcd:3.2.24 docker pull registry.aliyuncs.com/google_containers/etcd:3.3.10 docker pull registry.aliyuncs.com/google_containers/pause:3.1 docker pull registry.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.0 docker pull registry.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1 docker pull docker.io/jmgao1983/flannel:v0.11.0-amd64 docker pull quay-mirror.qiniu.com/kubernetes-ingress-controller/nginx-ingress-controller:0.25.0 docker tag registry.aliyuncs.com/google_containers/kube-apiserver:v1.15.2 k8s.gcr.io/kube-apiserver:v1.15.2 docker tag registry.aliyuncs.com/google_containers/kube-controller-manager:v1.15.2 k8s.gcr.io/kube-controller-manager:v1.15.2 docker tag registry.aliyuncs.com/google_containers/coredns:1.3.1 k8s.gcr.io/coredns:1.3.1 docker tag registry.aliyuncs.com/google_containers/kube-proxy:v1.15.2 k8s.gcr.io/kube-proxy:v1.15.2 docker tag registry.aliyuncs.com/google_containers/kube-scheduler:v1.15.2 k8s.gcr.io/kube-scheduler:v1.15.2 docker tag registry.aliyuncs.com/google_containers/etcd:3.3.10 k8s.gcr.io/etcd:3.3.10 docker tag registry.aliyuncs.com/google_containers/coredns:1.3.1 k8s.gcr.io/coredns:1.3.1 docker tag registry.aliyuncs.com/google_containers/pause:3.1 k8s.gcr.io/pause:3.1 docker tag registry.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.0 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0 docker tag registry.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1 docker tag docker.io/jmgao1983/flannel:v0.11.0-amd64 quay.io/coreos/flannel:v0.11.0-amd64 docker tag quay-mirror.qiniu.com/kubernetes-ingress-controller/nginx-ingress-controller:0.25.0 quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.0
执行直到下载完成:
./init-docker-images.sh
master节点的构建
kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=0.0.0.0
然后记录下类似如下的string:
kubeadm join api.k8s.cn:6443 --token b5jxzg.5jtj2odzoqujikk1 \ --discovery-token-ca-cert-hash sha256:90d0ad57b39bf47bface0c7f4edec480aaf8352cab872f4d52072f998cf45105
此时,k8s集群会处于NotReady状态(Master节点,用如下命令查看kubectl get nodes),需要如下:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
vi /var/lib/kubelet/kubeadm-flags.env #然后把--network-plugin=cni 这些文本删除 #保存后重启k8s服务 service kubelet restart
稍等片刻,master节点就会变成Ready状态(kubectl get nodes)
worker节点的构建(worker1和worker2节点分别执行)
kubeadm join {master1的ip,需自行替换}:6443 --token rntn5f.vy9h28s4pxwx6eig \
--discovery-token-ca-cert-hash sha256:62624adcc8aa5baa095dae607b8e57c8b619db956ad69e0e97f0e40c74542a92
vi /var/lib/kubelet/kubeadm-flags.env #然后把--network-plugin=cni 这些文本删除 #保存后重启k8s服务 service kubelet restart
安装dashboard(只要在master节点操作)
wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml vi kubernetes-dashboard.yaml #开始修改NodePort,在文件的最后
# ------------------- Dashboard Service ------------------- # kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kube-system spec: type: NodePort ports: - port: 443 targetPort: 8443 nodePort: 30001 selector: k8s-app: kubernetes-dashboard
kubectl apply -f kubernetes-dashboard.yaml
新建账号
vi dashboard-account.yaml #内容如下 apiVersion: v1 kind: ServiceAccount metadata: name: aks-dashboard-admin namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: aks-dashboard-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: aks-dashboard-admin namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard labels: k8s-app: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard-head labels: k8s-app: kubernetes-dashboard-head roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kubernetes-dashboard-head namespace: kube-system #执行 kubectl apply -f dashboard-account.yaml
然后就能用firefox访问https://master的ip地址:30001
接下来找出token:
[root@k8s-master1 ~]# kubectl -n kube-system get secrets|grep aks-dashboard-admin
aks-dashboard-admin-token-gmjfv kubernetes.io/service-account-token 3 4h52m
[root@k8s-master1 ~]# kubectl -n kube-system describe secret aks-dashboard-admin-token-gmjfv
Name: aks-dashboard-admin-token-gmjfv
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: aks-dashboard-admin
kubernetes.io/service-account.uid: 87d4ec1b-1829-4420-98d6-e77c1519aed6
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJha3MtZGFzaGJvYXJkLWFkbWluLXRva2VuLWdtamZ2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFrcy1kYXNoYm9hcmQtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI4N2Q0ZWMxYi0xODI5LTQ0MjAtOThkNi1lNzdjMTUxOWFlZDYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWtzLWRhc2hib2FyZC1hZG1pbiJ9.ELpsYbmWhW1sr3DOZfyupOkb87AbJ7sVoXEBitoTD46kuuNYcn8ajvwJcdfGruwrM9LwDcvMN7jD5UFF7-rgz1MUBEOZCoAjXFRrM1-Jn59TlXMk9W9JRD3DhMtuBRh6XUgPRjf755qr7WzR_DC8aCwjywAvFE1_R4N2oMZIU8gdmG0BsqwACHIbBnLJDAElBvgnKl8Jm4_XzKZW5ls-C45PSu-GC-yszt8qSN2bO5Z_rIUXhvK13Es5d0nUBvcanFBOsLjotWry195SWKEAuLiMp7qm6RJRrYWEpObh81w3MvbtrycZGMP7g-9H3s5vmHgs7HAnvjTEQht4c0F5qA
[root@k8s-master1 ~]#
用上面这个token登录就行了
安装ingress
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/mandatory.yaml
常见命令
#当join或者初始化k8s集群失败时,执行 kubeadm reset #查看集群所有节点 kubectl get nodes #查看secrets kubectl get secrets kubectl -n kube-system get secrets #查看具体pod明细,比如非Running状态下想看原因 kubectl describe pod {pod名称} kubectl -n kube-system describe pod {pod名称}
docker镜像惹的祸
由于有些docker镜像被墙了,因此默认安装时会阻塞住,解决方法是提前下载,配合国内镜像下载
如果是国内镜像下载的,namespace就会发生改变,因此下载完成后,需要docker tag命令重新tag到国外namespace
不足点,后续解决:
- master节点的高可用
- etcd的高可用(其实包含在上面的)