經過 Kubeadm 安裝 K8S 與高可用,版本1.13.4

時間  2019-11-21
標籤 經過 kubeadm 安裝 k8s 可用 版本 1.13.4 简体版
原文   原文鏈接

環境介紹node

  • CentOS: 7.6
  • Docker: 18.06.1-ce
  • Kubernetes: 1.13.4
  • Kuberadm: 1.13.4
  • Kuberlet: 1.13.4
  • Kuberctl: 1.13.4

部署介紹:linux

建立高可用首先先有一個 Master 節點,而後再讓其餘服務器加入組成三個 Master 節點高可用,而後再講工做節點 Node 加入。下面將描述每一個節點要執行的步驟:redis

  • Master01: 2、3、4、5、6、7、8、9、十一
  • Master0二、Master03: 2、3、5、6、4、九
  • node0一、node02: 2、5、6、九

集羣架構:docker

img

1、kuberadm 簡介

Kuberadm 做用

Kubeadm 是一個工具,它提供了 kubeadm init 以及 kubeadm join 這兩個命令做爲快速建立 kubernetes 集羣的最佳實踐。json

kubeadm 經過執行必要的操做來啓動和運行一個最小可用的集羣。它被故意設計爲只關心啓動集羣,而不是以前的節點準備工做。一樣的,諸如安裝各類各樣值得擁有的插件,例如 Kubernetes Dashboard、監控解決方案以及特定雲提供商的插件,這些都不在它負責的範圍。vim

相反,咱們指望由一個基於 kubeadm 從更高層設計的更加合適的工具來作這些事情;而且,理想狀況下,使用 kubeadm 做爲全部部署的基礎將會使得建立一個符合指望的集羣變得容易。centos

Kuberadm 功能

  • kubeadm init: 啓動一個 Kubernetes 主節點
  • kubeadm join: 啓動一個 Kubernetes 工做節點而且將其加入到集羣
  • kubeadm upgrade: 更新一個 Kubernetes 集羣到新版本
  • kubeadm config: 若是使用 v1.7.x 或者更低版本的 kubeadm 初始化集羣,您須要對集羣作一些配置以便使用 kubeadm upgrade 命令
  • kubeadm token: 管理 kubeadm join 使用的令牌
  • kubeadm reset: 還原 kubeadm init 或者 kubeadm join 對主機所作的任何更改
  • kubeadm version: 打印 kubeadm 版本
  • kubeadm alpha: 預覽一組可用的新功能以便從社區蒐集反饋

功能版本

Area Maturity Level
Command line UX GA
Implementation GA
Config file API beta
CoreDNS GA
kubeadm alpha subcommands alpha
High availability alpha
DynamicKubeletConfig alpha
Self-hosting alpha

2、前期準備

一、虛擬機分配說明

地址 主機名 內存&CPU 角色
192.168.2.10 vip
192.168.2.11 k8s-master-01 2C & 2G master
192.168.2.12 k8s-master-02 2C & 2G master
192.168.2.13 k8s-master-03 2C & 2G master
192.168.2.21 k8s-node-01 2c & 4G node
192.168.2.22 k8s-node-02 2c & 4G node

二、各個節點端口占用

  • Master 節點
規則 方向 端口範圍 做用 使用者
TCP Inbound 6443* Kubernetes API server All
TCP Inbound 2379-2380 etcd server client API kube-apiserver, etcd
TCP Inbound 10250 Kubelet API Self, Control plane
TCP Inbound 10251 kube-scheduler Self
TCP Inbound 10252 kube-controller-manager Sel
  • node 節點
規則 方向 端口範圍 做用 使用者
TCP Inbound 10250 Kubelet API Self, Control plane
TCP Inbound 30000-32767 NodePort Services** All

三、基礎環境設置

Kubernetes 須要必定的環境來保證正常運行,如各個節點時間同步,主機名稱解析,關閉防火牆等等。api

主機名稱解析

分佈式系統環境中的多主機通訊一般基於主機名稱進行,這在 IP 地址存在變化的可能 性時爲主機提供了固定的訪問人口,所以通常須要有專用的 DNS 服務負責解決各節點主機 不過,考慮到此處部署的是測試集羣,所以爲了下降系複雜度,這裏將基於 hosts 的文件進行主機名稱解析。安全

修改hostsbash

分別進入不一樣服務器,進入 /etc/hosts 進行編輯

vim /etc/hosts

加入下面內容:

192.168.2.10    master.k8s.io      k8s-vip
192.168.2.11    master01.k8s.io    k8s-master-01
192.168.2.12    master02.k8s.io    k8s-master-02
192.168.2.13    master03.k8s.io    k8s-master-03
192.168.2.21    node01.k8s.io      k8s-node-01
192.168.2.22    node02.k8s.io      k8s-node-02

修改hostname

分別進入不一樣的服務器修改 hostname 名稱

# 修改 192.168.2.11 服務器
hostnamectl  set-hostname  k8s-master-01
# 修改 192.168.2.12 服務器
hostnamectl  set-hostname  k8s-master-02
# 修改 192.168.2.13 服務器
hostnamectl  set-hostname  k8s-master-03

# 修改 192.168.2.21 服務器
hostnamectl  set-hostname  k8s-node-01
# 修改 192.168.2.22 服務器
hostnamectl  set-hostname  k8s-node-02

主機時間同步

將各個服務器的時間同步,並設置開機啓動同步時間服務

systemctl start chronyd.service
systemctl enable chronyd.service

關閉防火牆服務

中止並禁用防火牆

systemctl stop firewalld
systemctl disable firewalld

關閉並禁用SELinux

# 若當前啓用了 SELinux 則須要臨時設置其當前狀態爲 permissive
setenforce 0

# 編輯/etc/sysconfig selinux 文件,以完全禁用 SELinux
sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/' /etc/selinux/config

# 查看selinux狀態
getenforce

若是爲permissive,則執行reboot從新啓動便可

禁用 Swap 設備

kubeadm 默認會預先檢當前主機是否禁用了 Swap 設備,並在未用時強制止部署 過程所以,在主機內存資驚充裕的條件下,須要禁用全部的 Swap 設備

# 關閉當前已啓用的全部 Swap 設備
swapoff -a && sysctl -w vm.swappiness=0
# 編輯 fstab 配置文件,註釋掉標識爲 Swap 設備的全部行
vi /etc/fstab

img

設置系統參數

設置容許路由轉發,不對bridge的數據進行處理

建立 /etc/sysctl.d/k8s.conf 文件

vim /etc/sysctl.d/k8s.conf

加入下面內容:

net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1

掛載br_netfilter

modprobe br_netfilter

生效配置文件

sysctl -p /etc/sysctl.d/k8s.conf

sysctl命令:用於運行時配置內核參數

查看是否生成相關文件

ls /proc/sys/net/bridge

資源配置文件

/etc/security/limits.conf 是 Linux 資源使用配置文件,用來限制用戶對系統資源的使用

echo "* soft nofile 65536" >> /etc/security/limits.conf
echo "* hard nofile 65536" >> /etc/security/limits.conf
echo "* soft nproc 65536"  >> /etc/security/limits.conf
echo "* hard nproc 65536"  >> /etc/security/limits.conf
echo "* soft  memlock  unlimited"  >> /etc/security/limits.conf
echo "* hard memlock  unlimited"  >> /etc/security/limits.conf

安裝依賴包以及相關工具

yum install -y epel-release
yum install -y yum-utils device-mapper-persistent-data lvm2 net-tools conntrack-tools wget vim  ntpdate libseccomp libtool-ltdl

3、安裝Keepalived

  • keepalived介紹: 是集羣管理中保證集羣高可用的一個服務軟件,其功能相似於heartbeat,用來防止單點故障
  • Keepalived做用: 爲haproxy提供vip(192.168.2.10)在三個haproxy實例之間提供主備,下降當其中一個haproxy失效的時對服務的影響。

一、yum安裝Keepalived

# 安裝keepalived
yum install -y keepalived

二、配置Keepalived

cat <<EOF > /etc/keepalived/keepalived.conf
! Configuration File for keepalived

# 主要是配置故障發生時的通知對象以及機器標識。
global_defs {
   # 標識本節點的字條串,一般爲 hostname,但不必定非得是 hostname。故障發生時,郵件通知會用到。
   router_id LVS_k8s
}

# 用來作健康檢查的,當時檢查失敗時會將 vrrp_instance 的 priority 減小相應的值。
vrrp_script check_haproxy {
    script "killall -0 haproxy"   #根據進程名稱檢測進程是否存活
    interval 3
    weight -2
    fall 10
    rise 2
}

# rp_instance用來定義對外提供服務的 VIP 區域及其相關屬性。
vrrp_instance VI_1 {
    state MASTER   #當前節點爲MASTER,其餘兩個節點設置爲BACKUP
    interface ens33 #改成本身的網卡
    virtual_router_id 51
    priority 250
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 35f18af7190d51c9f7f78f37300a0cbd
    }
    virtual_ipaddress {
        192.168.2.10   #虛擬ip,即VIP
    }
    track_script {
        check_haproxy
    }

}
EOF

當前節點的配置中 state 配置爲 MASTER,其它兩個節點設置爲 BACKUP

配置說明

  • virtual_ipaddress: vip
  • track_script: 執行上面定義好的檢測的script
  • interface: 節點固有IP(非VIP)的網卡,用來發VRRP包。
  • virtual_router_id: 取值在0-255之間,用來區分多個instance的VRRP組播
  • advert_int: 發VRRP包的時間間隔,即多久進行一次master選舉(能夠認爲是健康查檢時間間隔)。
  • authentication: 認證區域,認證類型有PASS和HA(IPSEC),推薦使用PASS(密碼只識別前8位)。
  • state: 能夠是MASTER或BACKUP,不過當其餘節點keepalived啓動時會將priority比較大的節點選舉爲MASTER,所以該項其實沒有實質用途。
  • priority: 用來選舉master的,要成爲master,那麼這個選項的值最好高於其餘機器50個點,該項取值範圍是1-255(在此範圍以外會被識別成默認值100)。

三、啓動Keepalived

# 設置開機啓動
systemctl enable keepalived
# 啓動keepalived
systemctl start keepalived
# 查看啓動狀態
systemctl status keepalived

四、查看網絡狀態

kepplived 配置中 state 爲 MASTER 的節點啓動後,查看網絡狀態,能夠看到虛擬IP已經加入到綁定的網卡中

ip address show ens33

img

當關掉當前節點的keeplived服務後將進行虛擬IP轉移,將會推選state 爲 BACKUP 的節點的某一節點爲新的MASTER,能夠在那臺節點上查看網卡,將會查看到虛擬IP

4、安裝haproxy

此處的haproxy爲apiserver提供反向代理,haproxy將全部請求輪詢轉發到每一個master節點上。相對於僅僅使用keepalived主備模式僅單個master節點承載流量,這種方式更加合理、健壯。

一、yum安裝haproxy

yum install -y haproxy

二、配置haproxy

cat > /etc/haproxy/haproxy.cfg << EOF
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local2
    
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon 
       
    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------  
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
#---------------------------------------------------------------------
# kubernetes apiserver frontend which proxys to the backends
#--------------------------------------------------------------------- 
frontend kubernetes-apiserver
    mode                 tcp
    bind                 *:16443
    option               tcplog
    default_backend      kubernetes-apiserver    
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend kubernetes-apiserver
    mode        tcp
    balance     roundrobin
    server      master01.k8s.io   192.168.2.11:6443 check
    server      master02.k8s.io   192.168.2.12:6443 check
    server      master03.k8s.io   192.168.2.13:6443 check
#---------------------------------------------------------------------
# collection haproxy statistics message
#---------------------------------------------------------------------
listen stats
    bind                 *:1080
    stats auth           admin:awesomePassword
    stats refresh        5s
    stats realm          HAProxy\ Statistics
    stats uri            /admin?stats
EOF

haproxy配置在其餘master節點上(192.168.2.12和192.168.2.13)相同

三、啓動並檢測haproxy

# 設置開機啓動
systemctl enable haproxy
# 開啓haproxy
systemctl start haproxy
# 查看啓動狀態
systemctl status haproxy

四、檢測haproxy端口

ss -lnt | grep -E "16443|1080"

顯示:

img

5、安裝Docker (全部節點)

一、移除以前安裝過的Docker

sudo yum remove docker \
                  docker-client \
                  docker-client-latest \
                  docker-common \
                  docker-latest \
                  docker-latest-logrotate \
                  docker-logrotate \
                  docker-selinux \
                  docker-engine-selinux \
                  docker-ce-cli \
                  docker-engine

查看還有沒有存在的docker組件

rpm -qa|grep docker

有則經過命令 yum -y remove XXX 來刪除,好比:

yum remove docker-ce-cli

二、配置docker的yum源

下面兩個鏡像源選擇其一便可,因爲官方下載速度比較慢,推薦用阿里鏡像源

  • 阿里鏡像源
sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
  • Docker官方鏡像源
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

二、安裝Docker:

顯示docker-ce全部可安裝版本:

yum list docker-ce --showduplicates | sort -r

img

安裝指定docker版本

sudo yum install docker-ce-18.06.1.ce-3.el7 -y

設置鏡像存儲目錄

找到大點的掛載的目錄進行存儲

# 修改docker配置
vi /lib/systemd/system/docker.service

找到這行,王后面加上存儲目錄,例如這裏是 --graph /apps/docker
ExecStart=/usr/bin/docker --graph /apps/docker

啓動docker並設置docker開機啓動

systemctl enable docker
systemctl start docker

確認一下iptables

確認一下iptables filter表中FOWARD鏈的默認策略(pllicy)爲ACCEPT。

iptables -nvL

顯示:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Docker從1.13版本開始調整了默認的防火牆規則,禁用了iptables filter表中FOWARD鏈,這樣會引發Kubernetes集羣中跨Node的Pod沒法通訊。但這裏經過安裝docker 1806,發現默認策略又改回了ACCEPT,這個不知道是從哪一個版本改回的,由於咱們線上版本使用的1706仍是須要手動調整這個策略的。

6、安裝kubeadm、kubelet

一、配置可用的國內yum源用於安裝:

cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

二、安裝kubelet

  • 須要在每臺機器上都安裝如下的軟件包:
    • kubeadm: 用來初始化集羣的指令。
    • kubelet: 在集羣中的每一個節點上用來啓動 pod 和 container 等。
    • kubectl: 用來與集羣通訊的命令行工具。

查看kubelet版本列表

yum list kubelet --showduplicates | sort -r

安裝kubelet

yum install -y kubelet-1.13.4-0

啓動kubelet並設置開機啓動

systemctl enable kubelet 
systemctl start kubelet

檢查狀態

檢查狀態,發現是failed狀態,正常,kubelet會10秒重啓一次,等初始化master節點後便可正常

systemctl status kubelet

三、安裝kubeadm

負責初始化集羣

查看kubeadm版本列表

yum list kubeadm --showduplicates | sort -r

安裝kubeadm

yum install -y kubeadm-1.13.4-0

安裝 kubeadm 時候會默認安裝 kubectl ,因此不須要單獨安裝kubectl

四、重啓服務器

爲了防止發生某些未知錯誤,這裏咱們重啓下服務器,方便進行後續操做

reboot

7、初始化第一個kubernetes master節點

由於須要綁定虛擬IP,因此須要首先先查看虛擬IP啓動這幾臺master機子哪臺上

ip address show ens33

顯示:

ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:7e:65:b3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.11/24 brd 192.168.2.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet 192.168.2.10/32 scope global ens33
       valid_lft forever preferred_lft forever

能夠看到 10虛擬ip 和 11的ip 在一臺機子上,因此初始化kubernetes第一個master要在master01機子上進行安裝

一、建立kubeadm配置的yaml文件

cat > kubeadm-config.yaml << EOF
apiServer:
  certSANs:
    - k8s-master-01
    - k8s-master-02
    - k8s-master-03
    - master.k8s.io
    - 192.168.2.10
    - 192.168.2.11
    - 192.168.2.12
    - 192.168.2.13
    - 127.0.0.1
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta1
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: "master.k8s.io:16443"
controllerManager: {}
dns: 
  type: CoreDNS
etcd:
  local:    
    dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.13.4
networking: 
  dnsDomain: cluster.local  
  podSubnet: 10.20.0.0/16
  serviceSubnet: 10.10.0.0/16
scheduler: {}
EOF

如下兩個地方設置: - certSANs: 虛擬ip地址(爲了安全起見,把全部集羣地址都加上) - controlPlaneEndpoint: 虛擬IP:監控端口號

配置說明:

  • imageRepository: registry.aliyuncs.com/google_containers (使用阿里雲鏡像倉庫)
  • podSubnet: 10.20.0.0/16 (pod地址池)
  • serviceSubnet: 10.10.0.0/16

#service地址池

二、初始化第一個master節點

kubeadm init --config kubeadm-config.yaml

日誌:

Your Kubernetes master has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of machines by running the following on each node
as root:

  kubeadm join master.k8s.io:16443 --token dm3cw1.kw4hq84ie1376hji --discovery-token-ca-cert-hash sha256:f079b624773145ba714b56e177f52143f90f75a1dcebabda6538a49e224d4009

在此處看日誌能夠知道,經過

kubeadm join master.k8s.io:16443 --token dm3cw1.kw4hq84ie1376hji --discovery-token-ca-cert-hash sha256:f079b624773145ba714b56e177f52143f90f75a1dcebabda6538a49e224d4009

來讓節點加入集羣

三、配置kubectl環境變量

配置環境變量

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

四、查看組件狀態

kubectl get cs

顯示:

NAME                 STATUS    MESSAGE              ERROR
controller-manager   Healthy   ok                   
scheduler            Healthy   ok                   
etcd-0               Healthy   {"health": "true"}

查看pod狀態

kubectl get pods --namespace=kube-system

顯示:

img

能夠看到coredns沒有啓動,這是因爲尚未配置網絡插件,接下來配置下後再從新查看啓動狀態

8、安裝網絡插件

一、配置flannel插件的yaml文件

cat > kube-flannel.yaml << EOF
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: flannel
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes/status
    verbs:
      - patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: flannel
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: flannel
subjects:
- kind: ServiceAccount
  name: flannel
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: flannel
  namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
  name: kube-flannel-cfg
  namespace: kube-system
  labels:
    tier: node
    app: flannel
data:
  cni-conf.json: |
    {
      "name": "cbr0",
      "plugins": [
        {
          "type": "flannel",
          "delegate": {
            "hairpinMode": true,
            "isDefaultGateway": true
          }
        },
        {
          "type": "portmap",
          "capabilities": {
            "portMappings": true
          }
        }
      ]
    }
  net-conf.json: |
    {
      "Network": "10.20.0.0/16",
      "Backend": {
        "Type": "vxlan"
      }
    }
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: kube-flannel-ds-amd64
  namespace: kube-system
  labels:
    tier: node
    app: flannel
spec:
  template:
    metadata:
      labels:
        tier: node
        app: flannel
    spec:
      hostNetwork: true
      nodeSelector:
        beta.kubernetes.io/arch: amd64
      tolerations:
      - operator: Exists
        effect: NoSchedule
      serviceAccountName: flannel
      initContainers:
      - name: install-cni
        image: registry.cn-shenzhen.aliyuncs.com/cp_m/flannel:v0.10.0-amd64
        command:
        - cp
        args:
        - -f
        - /etc/kube-flannel/cni-conf.json
        - /etc/cni/net.d/10-flannel.conflist
        volumeMounts:
        - name: cni
          mountPath: /etc/cni/net.d
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      containers:
      - name: kube-flannel
        image: registry.cn-shenzhen.aliyuncs.com/cp_m/flannel:v0.10.0-amd64
        command:
        - /opt/bin/flanneld
        args:
        - --ip-masq
        - --kube-subnet-mgr
        resources:
          requests:
            cpu: "100m"
            memory: "50Mi"
          limits:
            cpu: "100m"
            memory: "50Mi"
        securityContext:
          privileged: true
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        volumeMounts:
        - name: run
          mountPath: /run
        - name: flannel-cfg
          mountPath: /etc/kube-flannel/
      volumes:
        - name: run
          hostPath:
            path: /run
        - name: cni
          hostPath:
            path: /etc/cni/net.d
        - name: flannel-cfg
          configMap:
            name: kube-flannel-cfg
EOF

「Network」: 「10.20.0.0/16」要和kubeadm-config.yaml配置文件中podSubnet: 10.20.0.0/16相同

二、建立flanner相關role和pod

kubectl apply -f kube-flannel.yaml

等待一會時間,再次查看各個pods的狀態

kubectl get pods --namespace=kube-system

顯示:

img

能夠看到coredns已經啓動

9、加入集羣

一、Master加入集羣構成高可用

複製祕鑰到各個節點

在master01 服務器上執行下面命令,將kubernetes相關文件複製到 master0二、master03

若是其餘節點爲初始化第一個master節點,則將該節點的配置文件複製到其他兩個主節點,例如master03爲第一個master節點,則將它的k8s配置複製到master02和master01。

  • 複製文件到 master02
ssh root@master02.k8s.io mkdir -p /etc/kubernetes/pki/etcd
scp /etc/kubernetes/admin.conf root@master02.k8s.io:/etc/kubernetes
scp /etc/kubernetes/pki/{ca.*,sa.*,front-proxy-ca.*} root@master02.k8s.io:/etc/kubernetes/pki
scp /etc/kubernetes/pki/etcd/ca.* root@master02.k8s.io:/etc/kubernetes/pki/etcd
  • 複製文件到 master03
ssh root@master03.k8s.io mkdir -p /etc/kubernetes/pki/etcd
scp /etc/kubernetes/admin.conf root@master03.k8s.io:/etc/kubernetes
scp /etc/kubernetes/pki/{ca.*,sa.*,front-proxy-ca.*} root@master03.k8s.io:/etc/kubernetes/pki
scp /etc/kubernetes/pki/etcd/ca.* root@master03.k8s.io:/etc/kubernetes/pki/etcd
  • master節點加入集羣

master02 和 master03 服務器上都執行加入集羣操做

kubeadm join master.k8s.io:16443 --token dm3cw1.kw4hq84ie1376hji --discovery-token-ca-cert-hash sha256:f079b624773145ba714b56e177f52143f90f75a1dcebabda6538a49e224d4009 --experimental-control-plane

若是加入失敗想從新嘗試,請輸入 kubeadm reset 命令清除以前的設置,從新執行從「複製祕鑰」和「加入集羣」這兩步

顯示安裝過程:

......
This node has joined the cluster and a new control plane instance was created:

* Certificate signing request was sent to apiserver and approval was received.
* The Kubelet was informed of the new secure connection details.
* Master label and taint were applied to the new node.
* The Kubernetes control plane instances scaled up.
* A new etcd member was added to the local/stacked etcd cluster.

To start administering your cluster from this node, you need to run the following as a regular user:

    mkdir -p $HOME/.kube
    sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
    sudo chown $(id -u):$(id -g) $HOME/.kube/config

Run 'kubectl get nodes' to see this node join the cluster.
  • 配置kubectl環境變量
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

二、node節點加入集羣

除了讓master節點加入集羣組成高可用外,slave節點也要加入集羣中。

這裏將k8s-node-0一、k8s-node-02加入集羣,進行工做

輸入初始化k8s master時候提示的加入命令,以下:

kubeadm join master.k8s.io:16443 --token dm3cw1.kw4hq84ie1376hji --discovery-token-ca-cert-hash sha256:f079b624773145ba714b56e177f52143f90f75a1dcebabda6538a49e224d4009

三、若是忘記加入集羣的token和sha256 (如正常則跳過)

  • 顯示獲取token列表
kubeadm token list

默認狀況下 Token 過時是時間是24小時,若是 Token 過時之後,能夠輸入如下命令,生成新的 Token

kubeadm token create
  • 獲取ca證書sha256編碼hash值
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
  • 拼接命令
kubeadm join master.k8s.io:16443 --token 882ik4.9ib2kb0eftvuhb58 --discovery-token-ca-cert-hash sha256:0b1a836894d930c8558b350feeac8210c85c9d35b6d91fde202b870f3244016a

若是是master加入,請在最後面加上 –experimental-control-plane 這個參數

四、查看各個節點加入集羣狀況

kubectl get nodes -o wide

顯示:

NAME            STATUS   ROLES    AGE   VERSION   INTERNAL-IP    EXTERNAL-IP   OS-IMAGE                KERNEL-VERSION              CONTAINER-RUNTIME
k8s-master-01   Ready    master   12m   v1.13.4   192.168.2.11   <none>        CentOS Linux 7 (Core)   3.10.0-957.1.3.el7.x86_64   docker://18.6.1
k8s-master-02   Ready    master   10m   v1.13.4   192.168.2.12   <none>        CentOS Linux 7 (Core)   3.10.0-957.1.3.el7.x86_64   docker://18.6.1
k8s-master-03   Ready    master   38m   v1.13.4   192.168.2.13   <none>        CentOS Linux 7 (Core)   3.10.0-957.1.3.el7.x86_64   docker://18.6.1
k8s-node-01     Ready    <none>   68s   v1.13.4   192.168.2.21   <none>        CentOS Linux 7 (Core)   3.10.0-957.1.3.el7.x86_64   docker://18.6.1
k8s-node-02     Ready    <none>   61s   v1.13.4   192.168.2.22   <none>        CentOS Linux 7 (Core)   3.10.0-957.1.3.el7.x86_64   docker://18.6.1

10、從集羣中刪除 Node

  • Master節點:
kubectl drain <node name> --delete-local-data --force --ignore-daemonsets
kubectl delete node <node name>
  • slave節點
kubeadm reset

11、配置dashboard

這個在一個服務器上部署,其餘服務器會複製這個部署的pod,因此這裏在master01服務器上部署 dashboard

一、建立 dashboard.yaml 並啓動

# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

---

# ------------------- Dashboard Deployment ------------------- #
# 1.修改了鏡像倉庫位置,編輯成本身的鏡像倉庫
# 2.變動了鏡像拉去策略imagePullPolicy: IfNotPresent
kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
# 增長了nodePort,使得可以訪問,改變默認的type類型ClusterIP,變爲NodePort
# 若是不配置的話默認只能集羣內訪問
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30001
  selector:
    k8s-app: kubernetes-dashboard

運行 dashboard

kubectl create -f kubernetes-dashboard.yaml

二、Dashboard 建立 ServiceAccount 並綁定 Admin 角色

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: admin
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
  name: admin
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile

運行dashboard的用戶和角色綁定

kubectl create -f dashboard-user-role.yaml

獲取登錄token

kubectl describe secret/$(kubectl get secret -n kube-system |grep admin|awk '{print $1}') -n kube-system

顯示:

[root@k8s-master-01 local]# kubectl describe secret/$(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system
Name:         admin-token-2mfdz
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin
              kubernetes.io/service-account.uid: 74efd994-38d8-11e9-8740-000c299624e4

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes

token:

eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1qdjd4ayIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImM4ZTMxYzk0LTQ2MWEtMTFlOS1iY2M5LTAwMGMyOTEzYzUxZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.TNw1iFEsZmJsVG4cki8iLtEoiY1pjpnOYm8ZIFjctpBdTOw6kUMvv2b2B2BJ_5rFle31gqGAZBIRyYj9LPAs06qT5uVP_l9o7IyFX4HToBF3veiun4e71822eQRUsgqiPh5uSjKXEkf9yGq9ujiCdtzFxnp3Pnpeuge73syuwd7J6F0-dJAp3b48MLZ1JJwEo6CTCMhm9buysycUYTbT_mUDQMNrHVH0868CdN_H8azA4PdLLLrFfTiVgoGu4c3sG5rgh9kKFqZA6dzV0Kq10W5JJwJRM1808ybLHyV9jfKN8N2_lZ7ehE6PbPU0cV-PyP74iA-HrzFW1yVwSLPVYA

三、運行dashboard並登錄

輸入地址:https://192.168.2.10:30001 進入 dashboard 界面

img

這裏輸入上面獲取的 token 進入 dashboard

img

問題

一、Master不會參與負載工做

Master不會參與負載工做,如何讓其參加,這裏須要瞭解traint

查看traint

# 查看所有節點是否能被安排工做
kubectl describe nodes | grep -E '(Roles|Taints)'

刪除traint

# 全部node均可以調度
kubectl taint nodes --all node-role.kubernetes.io/master-
# 指定node能夠調度
kubectl taint nodes k8s-master-01 node-role.kubernetes.io/master-

二、從新加入集羣

有時候節點出現問題須要從新加入集羣,加入前須要清除一些設置,否則可能出現某些錯誤,好比

network is not ready: [runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized]
Back-off restarting failed container

按下面步驟執行,再執行加入集羣命令便可

#重置kubernetes服務,重置網絡。刪除網絡配置,link
kubeadm reset

#重啓kubelet
systemctl stop kubelet

#中止docker
systemctl stop docker

#重置cni
rm -rf /var/lib/cni/
rm -rf /var/lib/kubelet/*
rm -rf /etc/cni/
ifconfig cni0 down
ifconfig flannel.1 down
ifconfig docker0 down
ip link delete cni0
ip link delete flannel.1

#重啓docker
systemctl start docker

再次加入集羣

kubeadm join cluster.kube.com:16443 --token gaeyou.k2650x660c8eb98c --discovery-token-ca-cert-hash sha256:daf4c2e0264422baa7076a2587f9224a5bd9c5667307927b0238743799dfb362
相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程