k8s-master 执行
1 去除pod污点,承担工作负载
使用kubeadm初始化的集群,出于安全考虑Pod不会被调度到Master Node上,也就是说Master Node不参与工作负载。这是因为当前的master节点被打上了node-role.kubernetes.io/master:NoSchedule的污点,可以选择去掉这个污点使master来承担一些工作负载

查看pod状态

kubectl get pods --all-namespaces

查看节点taint状态

kubectl describe nodes | grep -E '(Roles|Taints)'

去除节点污点,使节点pod可以承担工作负载

kubectl taint nodes --all node-role.kubernetes.io/master-

增加节点污点,使所有节点pod拒绝承担工作负载

kubectl taint nodes --all node-role.kubernetes.io/master=:NoSchedule

使master节点拒绝承担工作负载

kubectl taint nodes node/k8s-master node-role.kubernetes.io/master=:NoSchedule

使node节点拒绝承担工作负载

kubectl taint nodes node/k8s-node1 node-role.kubernetes.io/master=:NoSchedule

kubernetes k8s-master操作日志(二)(k8s-cluster k8s-kubeengine)_perl
2 在home路径下创建新的路径

mkdir -p /home/jonluo/gopath/src/github.com/jonluo94

进入路径

cd /home/jonluo/gopath/src/github.com/jonluo94

下载baas项目

git clone https://github.com/jonluo94/baasmanager.git

进入flannel路径

cd /home/jonluo/gopath/src/github.com/jonluo94/baasmanager/baas-kubecluster/flannel

编辑flannel/kube-flannel.yml,创建flannel网络
github托管网址
https://github.com/coreos/flannel/tree/master/Documentation
编辑flannel/kube-flannel.yml,创建flannel网络

kubectl apply -f kube-flannel.yml

具体的部署文件如下:

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: psp.flannel.unprivileged
  annotations:
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
    apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
    apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
  privileged: false
  volumes:
  - configMap
  - secret
  - emptyDir
  - hostPath
  allowedHostPaths:
  - pathPrefix: "/etc/cni/net.d"
  - pathPrefix: "/etc/kube-flannel"
  - pathPrefix: "/run/flannel"
  readOnlyRootFilesystem: false
  runAsUser:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny

  allowPrivilegeEscalation: false
  defaultAllowPrivilegeEscalation: false

  allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
  defaultAddCapabilities: []
  requiredDropCapabilities: []

  hostPID: false
  hostIPC: false
  hostNetwork: true
  hostPorts:
  - min: 0
    max: 65535

  seLinux:
    rule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: flannel
rules:
- apiGroups: ['extensions']
  resources: ['podsecuritypolicies']
  verbs: ['use']
  resourceNames: ['psp.flannel.unprivileged']
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes/status
  verbs:
  - patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: flannel
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: flannel
subjects:
- kind: ServiceAccount
  name: flannel
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: flannel
  namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: kube-flannel-cfg
  namespace: kube-system
  labels:
    tier: node
    app: flannel
data:
  cni-conf.json: |
    {
      "name": "cbr0",
      "cniVersion": "0.3.1",
      "plugins": [
        {
          "type": "flannel",
          "delegate": {
            "hairpinMode": true,
            "isDefaultGateway": true
          }
        },
        {
          "type": "portmap",
          "capabilities": {
            "portMappings": true
          }
        }
      ]
    }
  net-conf.json: |
    {
      "Network": "10.244.0.0/16",
      "Backend": {
        "Type": "vxlan"
      }
    }
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: kube-flannel-ds
  namespace: kube-system
  labels:
    tier: node
    app: flannel
spec:
  selector:
    matchLabels:
      app: flannel
  template:
    metadata:
      labels:
        tier: node
        app: flannel
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
      hostNetwork: true
      priorityClassName: system-node-critical
      tolerations:
      - operator: Exists
        effect: NoSchedule
      serviceAccountName: flannel
      initContainers:
      - name: install-cni
        image: quay.io/coreos/flannel:v0.13.0
        command:
        - cp
        args:
        - -f
        - /etc/kube-flannel/cni-conf.json
        - /etc/cni/net.d/10-flannel.conflist
        volumeMounts:
        - name: cni
          mountPath: /etc/cni/net.d
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      containers:
      - name: kube-flannel
        image: quay.io/coreos/flannel:v0.13.0
        command:
        - /opt/bin/flanneld
        args:
        - --ip-masq
        - --kube-subnet-mgr
        resources:
          requests:
            cpu: "100m"
            memory: "50Mi"
          limits:
            cpu: "100m"
            memory: "50Mi"
        securityContext:
          privileged: false
          capabilities:
            add: ["NET_ADMIN", "NET_RAW"]
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        volumeMounts:
        - name: run
          mountPath: /run/flannel
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      volumes:
      - name: run
        hostPath:
          path: /run/flannel
      - name: cni
        hostPath:
          path: /etc/cni/net.d
      - name: flannel-cfg
        configMap:
          name: kube-flannel-cfg

部署成功输出 以及 查看pods状态

kubectl get pods --all-namespaces

kubernetes k8s-master操作日志(二)(k8s-cluster k8s-kubeengine)_json_02
查看pod日志

kubectl describe pod/podname -n namespaces--name
kubectl describe pod/orderer0-adminbconeorderer-56967cc9b7-kvvr6 -n adminbconeorderer

kubernetes k8s-master操作日志(二)(k8s-cluster k8s-kubeengine)_apache_03
3 进入dashboard路径

cd /home/jonluo/gopath/src/github.com/jonluo94/baasmanager/baas-kubecluster/dashboard

编辑dashboard/kubernetes-dashboard.yaml,创建K8S Dashboard
kubernetes-dashboard.yaml文件 :
GitHub托管地址
https://github.com/Life-Of-Coding/kubernetes/blob/master/kubernetes-dashboard.yaml

# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# ------------------- Dashboard Secret ------------------- #

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
  # Allow Dashboard to create 'kubernetes-dashboard-settings' kubeconfig map.
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' kubeconfig map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: registry.cn-hangzhou.aliyuncs.com/kubeapps/k8s-gcr-kubernetes-dashboard-amd64:v1.8.3
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          # Uncomment the following line to manually specify Kubernetes apimanager server Host
          # If not specified, Dashboard will attempt to auto discover the apimanager server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30000
  type: NodePort
  selector:
    k8s-app: kubernetes-dashboard
kubectl create -f kubernetes-dashboard.yaml 

执行kubectl create -f kubernetes-dashboard.yaml失败后需要执行kubectl delete -f kubernetes-dashboard.yaml清理环境,重新部署
部署成功后查看启用的pod

kubectl get pods --all-namespaces

kubernetes k8s-master操作日志(二)(k8s-cluster k8s-kubeengine)_json_04
4 编辑dashboard/admin-token.yaml,创建Dashboard 管理员用户

kubectl create -f admin-token.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: admin
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: admin
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile

kubernetes k8s-master操作日志(二)(k8s-cluster k8s-kubeengine)_github_05
获取登陆token

kubectl describe secret/$(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system

kubernetes k8s-master操作日志(二)(k8s-cluster k8s-kubeengine)_perl_06
根据自己的ip地址 输入 访问网址
浏览器打开:https://192.168.84.131:30000/#!/login 令牌为token登录

https://192.168.95.128:30000/#!/login

问题 一: 页面显示不完整
kubernetes k8s-master操作日志(二)(k8s-cluster k8s-kubeengine)_json_07
给匿名用户授权即可解决,测试环境可用此快速解决

kubectl create clusterrolebinding test:anonymous --clusterrole=cluster-admin --user=system:anonymous

问题二: 输入令牌后 报 not found(404)错误

 kubectl delete -f admin-token.yaml
kubectl delete -f kubernetes-dashboard.yaml

重新生成

kubectl create -f kubernetes-dashboard.yaml
kubectl create -f admin-token.yaml
 kubectl describe secret/$(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system

部署成功后页面显示:
kubernetes k8s-master操作日志(二)(k8s-cluster k8s-kubeengine)_apache_08
5获取 kube-dns 的ip地址

kubectl get services --all-namespaces | grep kube-dns

kubernetes k8s-master操作日志(二)(k8s-cluster k8s-kubeengine)_perl_09
查询本机的DNS地址 nmcli命令
kubernetes k8s-master操作日志(二)(k8s-cluster k8s-kubeengine)_github_10
在k8s集群搭建完后操作
为了解决解析域名的问题,需要在k8s集群每个worker节点的 ExecStart 中加入相关参数: kube-dns 的 ip 为10.1.0.10,宿主机网络 DNS 的地址为 192.168.84.2, 为使得 chaincode 的容器可以解析到 peer 节点,在主机k8s-master、k8s-node1中执行以下修改步骤:

vim /lib/systemd/system/docker.service

在 ExecStart 参数后追加:

--dns=10.1.0.10 --dns=192.168.84.2 --dns-search default.svc.cluster.local --dns-search svc.cluster.local --dns-opt ndots:5 --dns-opt timeout:2 --dns-opt attempts:2

重启docker

systemctl daemon-reload && systemctl restart docker 
systemctl enable kubelet && systemctl start kubelet

启动成功后 ,查看节点node 和 pod状态

kubectl get nodes
kubectl get pods --all-namespaces

kubernetes k8s-master操作日志(二)(k8s-cluster k8s-kubeengine)_apache_11
在 centosone下 配置kube-engine
1进入 baasmanager/baas-kubeengine

cd /home/jonluo/gopath/src/github.com/jonluo94/baasmanager/baas-kubeengine

将k8s master的$HOME/.kube/config文件 替换 kubeconfig/config

cd kubeconfig
mv config configcp
cp $HOME/.kube/config ./

5 启动
设置go的代理

go env -w GO111MODULE=on
go env -w GOPROXY=https://goproxy.cn,direct

启动端口 5991

cd ../
go run main.go

kubernetes k8s-master操作日志(二)(k8s-cluster k8s-kubeengine)_perl_12

介绍Hyperledger fabric的PPT(52页)
密码学笔记
区块链知识体系简介
部署 ipfs 网络 对接联盟链网络
Hyperledger fabric网络(多共识 多版本 多数据库 ca ) 封装接口sdk
Hyperledger Caliper 测试(多组织 多节点 多共识)
区块链浏览器
联系We-chat V : 18852897525