使用kubeadm安装kubernetes v1.14.0
一、环境准备
操作系统:Centos 7.5
- 每台机器 2 GB 或更多的 RAM (如果少于这个数字将会影响您应用的运行内存)
- 2 CPU 核心或更多
- 集群中的所有机器的网络彼此均能相互连接(公网和内网都可以)
- 节点之中不可以有重复的主机名,MAC 地址,product_uuid。更多详细信息请参见这里 。
- 开启主机上的一些特定端口. 更多详细信息请参见这里。
- 禁用 Swap 交换分区。为了保证 kubelet 正确运行,必须 禁用交换分区。
二、安装步骤
- 定义hostname
hostname k8s-master - 编辑
/etc/hostsvi /etc/hosts 192.168.194.135 k8s-master
当然我们在这里根据实际情况指定自己的ip地址即可 - 禁用交换分区等操作
# 将 SELinux 设置为 permissive 模式(将其禁用) swapoff -a setenforce 0 sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
- 配置yum源并安装相关相关核心文件
cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=0 repo_gpgcheck=0 gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF
安装docker与k8syum install -y docker kubelet-1.18.2-0 kubeadm-1.18.2-0 kubectl-1.18.2-0 --disableexcludes=kubernetes --disableexcludes=kubernetes - 设置docker与kubelet开机启动
$ systemctl enable docker.service kubelet.service $ systemctl start docker kubelet - 初始化master环境
kubeadm init --image-repository=registry.aliyuncs.com/google_containers --service-cidr=10.1.0.0/16 --pod-network-cidr=10.244.0.0/16 --kubernetes-version=v1.18.2-0
当运行成功后会出现的提示信息,我们注意以下几点
- 根据提示信息我们可以运行:
mkdir -p HOME/.kube sudo cp -i /etc/kubernetes/admin.conf HOME/.kube/config sudo chown (id -u):(id -g) $HOME/.kube/config - 记录加入token的秘钥
kubeadm join 172.17.0.13:6443 --token a5tzoh.svr1xpsh2kpdjfcn --discovery-token-ca-cert-hash sha256:816577e3c2b2c3184002f49089de08963dd34e63166017bbe7edbeba15fdc2b2
- 按需开启master创建pod的功能
kubectl taint nodes --all node-role.kubernetes.io/master-
默认情况出于安全考虑 master节点是不允许创建pod的,我们可以通过如上命令开启此功能
- 安装网络插件
$ iptables -P FORWARD ACCEPT
$ kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
当所有运行完成后 我们可以通过 kubectl get pod --all-namespaces来查看pod的运行状态,当所有为run的状态时,证明启动完毕
- 自动补全的设置
- Linux Bash
source /usr/share/bash-completion/bash_completion source <(kubectl completion bash)
- Linux Zsh
source <(kubectl completion zsh)
三、配置dashboard
在这里我们还是预先通过国内镜像仓库拉取,dashboard的镜像文件:
docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
docker tag docker.io/mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
yaml文件:
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ------------------- Dashboard Secret ------------------- #
apiVersionv1
kindSecret
metadata
labels
k8s-appkubernetes-dashboard
namekubernetes-dashboard-certs
namespacekube-system
typeOpaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersionv1
kindServiceAccount
metadata
labels
k8s-appkubernetes-dashboard
namekubernetes-dashboard
namespacekube-system
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kindRole
apiVersionrbac.authorization.k8s.io/v1
metadata
namekubernetes-dashboard-minimal
namespacekube-system
rules
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
apiGroups""
resources"secrets"
verbs"create"
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
apiGroups""
resources"configmaps"
verbs"create"
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
apiGroups""
resources"secrets"
resourceNames"kubernetes-dashboard-key-holder" "kubernetes-dashboard-certs"
verbs"get" "update" "delete"
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
apiGroups""
resources"configmaps"
resourceNames"kubernetes-dashboard-settings"
verbs"get" "update"
# Allow Dashboard to get metrics from heapster.
apiGroups""
resources"services"
resourceNames"heapster"
verbs"proxy"
apiGroups""
resources"services/proxy"
resourceNames"heapster" "http:heapster:" "https:heapster:"
verbs"get"
---
apiVersionrbac.authorization.k8s.io/v1
kindRoleBinding
metadata
namekubernetes-dashboard-minimal
namespacekube-system
roleRef
apiGrouprbac.authorization.k8s.io
kindRole
namekubernetes-dashboard-minimal
subjects
kindServiceAccount
namekubernetes-dashboard
namespacekube-system
---
# ------------------- Dashboard Deployment ------------------- #
kindDeployment
apiVersionapps/v1
metadata
labels
k8s-appkubernetes-dashboard
namekubernetes-dashboard
namespacekube-system
spec
replicas1
revisionHistoryLimit10
selector
matchLabels
k8s-appkubernetes-dashboard
template
metadata
labels
k8s-appkubernetes-dashboard
spec
containers
namekubernetes-dashboard
imagek8s.gcr.io/kubernetes-dashboard-amd64v1.10.1
ports
containerPort8443
protocolTCP
args
--auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts
namekubernetes-dashboard-certs
mountPath/certs
# Create on-disk volume to store exec logs
mountPath/tmp
nametmp-volume
livenessProbe
httpGet
schemeHTTPS
path/
port8443
initialDelaySeconds30
timeoutSeconds30
volumes
namekubernetes-dashboard-certs
secret
secretNamekubernetes-dashboard-certs
nametmp-volume
emptyDir
serviceAccountNamekubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations
keynode-role.kubernetes.io/master
effectNoSchedule
---
# ------------------- Dashboard Service ------------------- #
kindService
apiVersionv1
metadata
labels
k8s-appkubernetes-dashboard
namekubernetes-dashboard
namespacekube-system
spec
typeNodePort
ports
port443
targetPort8443
nodePort30005
selector
k8s-appkubernetes-dashboard
紧接着我们要创建匿名用户的角色并查看其对应的token :
k8s-dashborad-admin.yaml:
kindClusterRoleBinding
apiVersionrbac.authorization.k8s.io/v1beta1
metadata
nameadmin
annotations
rbac.authorization.kubernetes.io/autoupdate"true"
roleRef
kindClusterRole
namecluster-admin
apiGrouprbac.authorization.k8s.io
subjects
kindServiceAccount
nameadmin
namespacekube-system
---
apiVersionv1
kindServiceAccount
metadata
nameadmin
namespacekube-system
labels
kubernetes.io/cluster-service"true"
addonmanager.kubernetes.io/modeReconcile
$ kubectl create clusterrolebinding test:anonymous --clusterrole=cluster-admin --user=system:anonymous
$ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep cluster-admin | awk '{print $1}')
此时我们通过https://xxx.xxx.xxx:30005即可访问dashboard,注意通过token信息我们可以登录:
四、配置heapster
4.1、heapster.yaml
apiVersionv1
kindServiceAccount
metadata
nameheapster
namespacekube-system
---
apiVersionextensions/v1beta1
kindDeployment
metadata
nameheapster
namespacekube-system
spec
replicas1
template
metadata
labels
taskmonitoring
k8s-appheapster
spec
serviceAccountNameheapster
containers
nameheapster
imageregistry.cn-hangzhou.aliyuncs.com/google_containers/heapster-amd64v1.5.4
imagePullPolicyIfNotPresent
command
/heapster
--source=kubernetes:https://kubernetes.default?kubeletHttps=true&kubeletPort=10250&insecure=true
--sink=influxdb:http://monitoring-influxdb.kube-system.svc.cluster.local:8086
---
apiVersionv1
kindService
metadata
labels
taskmonitoring
# For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
# If you are NOT using this as an addon, you should comment out this line.
kubernetes.io/cluster-service'true'
kubernetes.io/nameHeapster
nameheapster
namespacekube-system
spec
ports
port80
targetPort8082
selector
k8s-appheapster
4.2、heapster-rbac.yaml
kindClusterRoleBinding
apiVersionrbac.authorization.k8s.io/v1beta1
metadata
nameheapster
roleRef
apiGrouprbac.authorization.k8s.io
kindClusterRole
namesystemheapster
subjects
kindServiceAccount
nameheapster
namespacekube-system
4.3、 influx_db.yaml
apiVersionextensions/v1beta1
kindDeployment
metadata
namemonitoring-influxdb
namespacekube-system
spec
replicas1
template
metadata
labels
taskmonitoring
k8s-appinfluxdb
spec
containers
nameinfluxdb
imageregistry.cn-hangzhou.aliyuncs.com/google_containers/heapster-influxdb-amd64v1.5.2
volumeMounts
mountPath/data
nameinfluxdb-storage
volumes
nameinfluxdb-storage
emptyDir
---
apiVersionv1
kindService
metadata
labels
taskmonitoring
# For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
# If you are NOT using this as an addon, you should comment out this line.
kubernetes.io/cluster-service'true'
kubernetes.io/namemonitoring-influxdb
namemonitoring-influxdb
namespacekube-system
spec
ports
port8086
targetPort8086
selector
k8s-appinfluxdb
4.4、生成修改权限的文件
运行上述三个文件后,我们要修改一下权限,否则会报403错误:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: heapster
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: heapster
namespace: kube-system
而后运行 kubectl create -f heapster_modify.yaml
五、附录
5.1、更改NodePort端口
比如像把端口范围改成1-65535,则在apiserver的启动命令里面添加如下参数:
--service-node-port-range=1-65535,该配置文件位于/etc/kubernetes/manifests/kube-apiserver.yaml下
5.2、DNS反复重启的解决方法
kubernetes(k8s)DNS 服务反复重启解决:
k8s.io/dns/pkg/dns/dns.go:150: Failed to list *v1.Service: Get https://10.96.0.1:443/api/v1/services?resourceVersion=0: dial tcp 10.96.0.1:443: getsockopt: no route to host
在使用 Minikube 部署 kubernetes 服务时,出现 Kube DNS 服务反复重启现象(错误如上),
这很可能是 iptables 规则乱了,我通过执行以下命令解决了,在此记录:
- # systemctl stop kubelet
- # systemctl stop docker
- # iptables --flush
- # iptables -tnat --flush
- # systemctl start kubelet
- # systemctl start docker
5.3、kube-flannel.yaml
---
apiVersionpolicy/v1beta1
kindPodSecurityPolicy
metadata
namepsp.flannel.unprivileged
annotations
seccomp.security.alpha.kubernetes.io/allowedProfileNamesdocker/default
seccomp.security.alpha.kubernetes.io/defaultProfileNamedocker/default
apparmor.security.beta.kubernetes.io/allowedProfileNamesruntime/default
apparmor.security.beta.kubernetes.io/defaultProfileNameruntime/default
spec
privilegedfalse
volumes
configMap
secret
emptyDir
hostPath
allowedHostPaths
pathPrefix"/etc/cni/net.d"
pathPrefix"/etc/kube-flannel"
pathPrefix"/run/flannel"
readOnlyRootFilesystemfalse
# Users and groups
runAsUser
ruleRunAsAny
supplementalGroups
ruleRunAsAny
fsGroup
ruleRunAsAny
# Privilege Escalation
allowPrivilegeEscalationfalse
defaultAllowPrivilegeEscalationfalse
# Capabilities
allowedCapabilities'NET_ADMIN'
defaultAddCapabilities
requiredDropCapabilities
# Host namespaces
hostPIDfalse
hostIPCfalse
hostNetworktrue
hostPorts
min0
max65535
# SELinux
seLinux
# SELinux is unused in CaaSP
rule'RunAsAny'
---
kindClusterRole
apiVersionrbac.authorization.k8s.io/v1beta1
metadata
nameflannel
rules
apiGroups'extensions'
resources'podsecuritypolicies'
verbs'use'
resourceNames'psp.flannel.unprivileged'
apiGroups
""
resources
pods
verbs
get
apiGroups
""
resources
nodes
verbs
list
watch
apiGroups
""
resources
nodes/status
verbs
patch
---
kindClusterRoleBinding
apiVersionrbac.authorization.k8s.io/v1beta1
metadata
nameflannel
roleRef
apiGrouprbac.authorization.k8s.io
kindClusterRole
nameflannel
subjects
kindServiceAccount
nameflannel
namespacekube-system
---
apiVersionv1
kindServiceAccount
metadata
nameflannel
namespacekube-system
---
kindConfigMap
apiVersionv1
metadata
namekube-flannel-cfg
namespacekube-system
labels
tiernode
appflannel
data
cni-conf.json
{
"name": "cbr0",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
net-conf.json
{
"Network": "10.244.0.0/16",
"Backend": {
"Type": "vxlan"
}
}
---
apiVersionapps/v1
kindDaemonSet
metadata
namekube-flannel-ds-amd64
namespacekube-system
labels
tiernode
appflannel
spec
selector
matchLabels
appflannel
template
metadata
labels
tiernode
appflannel
spec
affinity
nodeAffinity
requiredDuringSchedulingIgnoredDuringExecution
nodeSelectorTerms
matchExpressions
keykubernetes.io/os
operatorIn
values
linux
keykubernetes.io/arch
operatorIn
values
amd64
hostNetworktrue
tolerations
operatorExists
effectNoSchedule
serviceAccountNameflannel
initContainers
nameinstall-cni
imagequay.io/coreos/flannelv0.11.0-amd64
command
cp
args
-f
/etc/kube-flannel/cni-conf.json
/etc/cni/net.d/10-flannel.conflist
volumeMounts
namecni
mountPath/etc/cni/net.d
nameflannel-cfg
mountPath/etc/kube-flannel/
containers
namekube-flannel
imagequay.io/coreos/flannelv0.11.0-amd64
command
/opt/bin/flanneld
args
--ip-masq
--kube-subnet-mgr
resources
requests
cpu"100m"
memory"50Mi"
limits
cpu"100m"
memory"50Mi"
securityContext
privilegedfalse
capabilities
add"NET_ADMIN"
env
namePOD_NAME
valueFrom
fieldRef
fieldPathmetadata.name
namePOD_NAMESPACE
valueFrom
fieldRef
fieldPathmetadata.namespace
volumeMounts
namerun
mountPath/run/flannel
nameflannel-cfg
mountPath/etc/kube-flannel/
volumes
namerun
hostPath
path/run/flannel
namecni
hostPath
path/etc/cni/net.d
nameflannel-cfg
configMap
namekube-flannel-cfg
---
apiVersionapps/v1
kindDaemonSet
metadata
namekube-flannel-ds-arm64
namespacekube-system
labels
tiernode
appflannel
spec
selector
matchLabels
appflannel
template
metadata
labels
tiernode
appflannel
spec
affinity
nodeAffinity
requiredDuringSchedulingIgnoredDuringExecution
nodeSelectorTerms
matchExpressions
keykubernetes.io/os
operatorIn
values
linux
keykubernetes.io/arch
operatorIn
values
arm64
hostNetworktrue
tolerations
operatorExists
effectNoSchedule
serviceAccountNameflannel
initContainers
nameinstall-cni
imagequay.io/coreos/flannelv0.12.0-arm64
command
cp
args
-f
/etc/kube-flannel/cni-conf.json
/etc/cni/net.d/10-flannel.conflist
volumeMounts
namecni
mountPath/etc/cni/net.d
nameflannel-cfg
mountPath/etc/kube-flannel/
containers
namekube-flannel
imagequay.io/coreos/flannelv0.12.0-arm64
command
/opt/bin/flanneld
args
--ip-masq
--kube-subnet-mgr
resources
requests
cpu"100m"
memory"50Mi"
limits
cpu"100m"
memory"50Mi"
securityContext
privilegedfalse
capabilities
add"NET_ADMIN"
env
namePOD_NAME
valueFrom
fieldRef
fieldPathmetadata.name
namePOD_NAMESPACE
valueFrom
fieldRef
fieldPathmetadata.namespace
volumeMounts
namerun
mountPath/run/flannel
nameflannel-cfg
mountPath/etc/kube-flannel/
volumes
namerun
hostPath
path/run/flannel
namecni
hostPath
path/etc/cni/net.d
nameflannel-cfg
configMap
namekube-flannel-cfg
---
apiVersionapps/v1
kindDaemonSet
metadata
namekube-flannel-ds-arm
namespacekube-system
labels
tiernode
appflannel
spec
selector
matchLabels
appflannel
template
metadata
labels
tiernode
appflannel
spec
affinity
nodeAffinity
requiredDuringSchedulingIgnoredDuringExecution
nodeSelectorTerms
matchExpressions
keykubernetes.io/os
operatorIn
values
linux
keykubernetes.io/arch
operatorIn
values
arm
hostNetworktrue
tolerations
operatorExists
effectNoSchedule
serviceAccountNameflannel
initContainers
nameinstall-cni
imagequay.io/coreos/flannelv0.12.0-arm
command
cp
args
-f
/etc/kube-flannel/cni-conf.json
/etc/cni/net.d/10-flannel.conflist
volumeMounts
namecni
mountPath/etc/cni/net.d
nameflannel-cfg
mountPath/etc/kube-flannel/
containers
namekube-flannel
imagequay.io/coreos/flannelv0.12.0-arm
command
/opt/bin/flanneld
args
--ip-masq
--kube-subnet-mgr
resources
requests
cpu"100m"
memory"50Mi"
limits
cpu"100m"
memory"50Mi"
securityContext
privilegedfalse
capabilities
add"NET_ADMIN"
env
namePOD_NAME
valueFrom
fieldRef
fieldPathmetadata.name
namePOD_NAMESPACE
valueFrom
fieldRef
fieldPathmetadata.namespace
volumeMounts
namerun
mountPath/run/flannel
nameflannel-cfg
mountPath/etc/kube-flannel/
volumes
namerun
hostPath
path/run/flannel
namecni
hostPath
path/etc/cni/net.d
nameflannel-cfg
configMap
namekube-flannel-cfg
---
apiVersionapps/v1
kindDaemonSet
metadata
namekube-flannel-ds-ppc64le
namespacekube-system
labels
tiernode
appflannel
spec
selector
matchLabels
appflannel
template
metadata
labels
tiernode
appflannel
spec
affinity
nodeAffinity
requiredDuringSchedulingIgnoredDuringExecution
nodeSelectorTerms
matchExpressions
keykubernetes.io/os
operatorIn
values
linux
keykubernetes.io/arch
operatorIn
values
ppc64le
hostNetworktrue
tolerations
operatorExists
effectNoSchedule
serviceAccountNameflannel
initContainers
nameinstall-cni
imagequay.io/coreos/flannelv0.12.0-ppc64le
command
cp
args
-f
/etc/kube-flannel/cni-conf.json
/etc/cni/net.d/10-flannel.conflist
volumeMounts
namecni
mountPath/etc/cni/net.d
nameflannel-cfg
mountPath/etc/kube-flannel/
containers
namekube-flannel
imagequay.io/coreos/flannelv0.12.0-ppc64le
command
/opt/bin/flanneld
args
--ip-masq
--kube-subnet-mgr
resources
requests
cpu"100m"
memory"50Mi"
limits
cpu"100m"
memory"50Mi"
securityContext
privilegedfalse
capabilities
add"NET_ADMIN"
env
namePOD_NAME
valueFrom
fieldRef
fieldPathmetadata.name
namePOD_NAMESPACE
valueFrom
fieldRef
fieldPathmetadata.namespace
volumeMounts
namerun
mountPath/run/flannel
nameflannel-cfg
mountPath/etc/kube-flannel/
volumes
namerun
hostPath
path/run/flannel
namecni
hostPath
path/etc/cni/net.d
nameflannel-cfg
configMap
namekube-flannel-cfg
---
apiVersionapps/v1
kindDaemonSet
metadata
namekube-flannel-ds-s390x
namespacekube-system
labels
tiernode
appflannel
spec
selector
matchLabels
appflannel
template
metadata
labels
tiernode
appflannel
spec
affinity
nodeAffinity
requiredDuringSchedulingIgnoredDuringExecution
nodeSelectorTerms
matchExpressions
keykubernetes.io/os
operatorIn
values
linux
keykubernetes.io/arch
operatorIn
values
s390x
hostNetworktrue
tolerations
operatorExists
effectNoSchedule
serviceAccountNameflannel
initContainers
nameinstall-cni
imagequay.io/coreos/flannelv0.12.0-s390x
command
cp
args
-f
/etc/kube-flannel/cni-conf.json
/etc/cni/net.d/10-flannel.conflist
volumeMounts
namecni
mountPath/etc/cni/net.d
nameflannel-cfg
mountPath/etc/kube-flannel/
containers
namekube-flannel
imagequay.io/coreos/flannelv0.12.0-s390x
command
/opt/bin/flanneld
args
--ip-masq
--kube-subnet-mgr
resources
requests
cpu"100m"
memory"50Mi"
limits
cpu"100m"
memory"50Mi"
securityContext
privilegedfalse
capabilities
add"NET_ADMIN"
env
namePOD_NAME
valueFrom
fieldRef
fieldPathmetadata.name
namePOD_NAMESPACE
valueFrom
fieldRef
fieldPathmetadata.namespace
volumeMounts
namerun
mountPath/run/flannel
nameflannel-cfg
mountPath/etc/kube-flannel/
volumes
namerun
hostPath
path/run/flannel
namecni
hostPath
path/etc/cni/net.d
nameflannel-cfg
configMap
namekube-flannel-cfg
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
