kubespray2.11安裝kubernetes1.15

關於kubespray

Kubespray是開源的kubernetes部署工具，整合了ansible，能夠方便的部署高可用集羣環境，官網地址：https://github.com/kubernetes...，本文是用kubespray2.11版本部署kubernetes1.15版本的實戰；

重要前提

本次實戰採用官方推薦的在線安裝，所以會去谷歌鏡像倉庫下載鏡像，<font color="red">須要您的網絡能夠訪問谷歌服務</font>；

機器信息

本次實戰共計四臺機器，它們的主機名、IP地址和做用描述以下：

主機名	IP地址	做用
ansible	192.168.133.134	ansible主機
a001	192.168.133.139	k8s集羣的一號工做節點
a002	192.168.133.140	k8s集羣的二號工做節點
a003	192.168.133.141	k8s集羣的三號工做節點

標準化設置

本次實戰的全部機器都要作如下設置：

1. 操做系統：CentOS Linux release 7.7.1908
2. 因此操做都是root帳號執行的
3. 關閉防火牆：

systemctl stop firewalld && systemctl disable firewalld

1. 關閉selinux：

setenforce 0
sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux

1. ipv4網絡設置：

modprobe br_netfilter
echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables
sysctl -w net.ipv4.ip_forward=1

ansible主機免密碼ssh登陸a00一、a00二、a003

1. ssh登陸ansible主機；
2. 生成ssh公私鑰，輸入命令<font color="blue">ssh-keygen</font>，而後連續四次回車：

[root@ansible ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:Empen3/RfLndRkS8mKfkq6a2IXtSdqwK7TqKNoHkNEU root@ansible
The key's randomart image is:
+---[RSA 2048]----+
|  .E           . |
|   .            o|
|  .   .       o..|
| +   . .     + o.|
|= . o o S . ooo..|
|.o o ..o + o.oo.o|
|  . .. o=.o  ..o+|
| o.  .o.o=.... .+|
|......o+=o=o.  . |
+----[SHA256]-----+

1. 輸入命令<font color="blue">ssh-copy-id root@192.168.133.139</font>，將ansible的ssh分發給a001主機，會要求輸入<font color="blue">yes</font>和a001主機的root帳號的密碼，完成輸入後，之後ansible就能夠免密碼ssh登陸a001主機了：

[root@ansible ~]# ssh-copy-id root@192.168.133.139
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '192.168.133.139 (192.168.133.139)' can't be established.
ECDSA key fingerprint is SHA256:DPE2nldWHiOhC4DB9doy7jPWNZVup6XFZ+sR2i1gqz8.
ECDSA key fingerprint is MD5:fc:21:f7:7f:e8:cd:1a:76:d7:fb:cc:d4:28:91:f3:5a.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.133.139's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@192.168.133.139'"
and check to make sure that only the key(s) you wanted were added.

1. 繼續輸入命令<font color="blue">ssh-copy-id root@192.168.133.140</font>和<font color="blue">ssh-copy-id root@192.168.133.141</font>，使得ansible主機能夠免密碼登陸a002和a003；
2. 至此，ansible主機能夠用命令<font color="blue">ssh root@192.168.133.139</font>、<font color="blue">ssh root@192.168.133.140</font>、<font color="blue">ssh root@192.168.133.141</font>免密碼登陸a00一、a00二、a003了；

ansible主機操做

1. ssh登陸ansible主機；
2. 安裝ansible應用：

yum install -y epel-release ansible

1. 安裝pip：

easy_install pip

1. 經過pip安裝jinja2：

pip2 install jinja2 --upgrade

1. 安裝python36：

yum install python36 -y

1. 建立工做目錄，進入工做目錄：

mkdir /usr/local/kubespray && cd /usr/local/kubespray/

1. 下載kubespray，我這裏下載的是<font color="blue">v2.11.0</font>版本：

wget https://github.com/kubernetes-sigs/kubespray/archive/v2.11.0.tar.gz

1. 解壓：

tar -zxvf v2.11.0.tar.gz

1. 進入解壓後的目錄：

cd kubespray-2.11.0/

1. 安裝kubespray所需的應用(注意是<font color="red">pip3</font>)：

pip3 install -r requirements.txt

1. 複製一份demo配置信息到目錄<font color="blue">inventory/mycluster</font>：

cp -rfp inventory/sample inventory/mycluster

1. 進去看一下，可見mycluster目錄下複製了不少文件：

[root@ansible kubespray-2.11.0]# tree inventory/
inventory/
├── local
│   ├── group_vars -> ../sample/group_vars
│   └── hosts.ini
├── mycluster
│   ├── group_vars
│   │   ├── all
│   │   │   ├── all.yml
│   │   │   ├── azure.yml
│   │   │   ├── coreos.yml
│   │   │   ├── docker.yml
│   │   │   ├── oci.yml
│   │   │   └── openstack.yml
│   │   ├── etcd.yml
│   │   └── k8s-cluster
│   │       ├── addons.yml
│   │       ├── k8s-cluster.yml
│   │       ├── k8s-net-calico.yml
│   │       ├── k8s-net-canal.yml
│   │       ├── k8s-net-cilium.yml
│   │       ├── k8s-net-contiv.yml
│   │       ├── k8s-net-flannel.yml
│   │       ├── k8s-net-kube-router.yml
│   │       ├── k8s-net-macvlan.yml
│   │       └── k8s-net-weave.yml
│   └── inventory.ini

1. 設置集羣信息(當前目錄仍舊是kubespray-2.11.0)：

declare -a IPS=(192.168.133.139 192.168.133.140 192.168.133.141)

1. 配置ansible：

CONFIG_FILE=inventory/mycluster/hosts.yml python3 contrib/inventory_builder/inventory.py ${IPS[@]}

此時kubespray的腳本根據輸入的IP信息作好了集羣規劃，具體信息可見<font color="blue">inventory/mycluster/hosts.yml</font>，以下所示，您也能夠自行修改此文件：

all:
  hosts:
    node1:
      ansible_host: 192.168.133.139
      ip: 192.168.133.139
      access_ip: 192.168.133.139
    node2:
      ansible_host: 192.168.133.140
      ip: 192.168.133.140
      access_ip: 192.168.133.140
    node3:
      ansible_host: 192.168.133.141
      ip: 192.168.133.141
      access_ip: 192.168.133.141
  children:
    kube-master:
      hosts:
        node1:
        node2:
    kube-node:
      hosts:
        node1:
        node2:
        node3:
    etcd:
      hosts:
        node1:
        node2:
        node3:
    k8s-cluster:
      children:
        kube-master:
        kube-node:
    calico-rr:
      hosts: {}

1. 執行如下命令便可開始安裝，在線安裝比較耗時請耐心等待：

ansible-playbook -i inventory/mycluster/hosts.yml --become --become-user=root cluster.yml

安裝完成時控制檯輸出相似以下的信息：

PLAY RECAP ********************************************************************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0   
node1                      : ok=658  changed=95   unreachable=0    failed=0   
node2                      : ok=566  changed=77   unreachable=0    failed=0   
node3                      : ok=475  changed=66   unreachable=0    failed=0   

Sunday 17 November 2019  17:31:19 +0800 (0:00:00.064)       0:09:56.193 ******* 
=============================================================================== 
kubernetes/master : kubeadm | Init other uninitialized masters -------------------------------------------------------------------------------------------------------------------- 94.91s
kubernetes/master : kubeadm | Initialize first master ----------------------------------------------------------------------------------------------------------------------------- 42.95s
etcd : Install | Copy etcdctl binary from docker container ------------------------------------------------------------------------------------------------------------------------ 14.26s
download : download_container | Download image if required ------------------------------------------------------------------------------------------------------------------------ 12.87s
download : download_container | Download image if required ------------------------------------------------------------------------------------------------------------------------ 12.28s
download : download_container | Download image if required ------------------------------------------------------------------------------------------------------------------------ 10.79s
etcd : reload etcd ---------------------------------------------------------------------------------------------------------------------------------------------------------------- 10.71s
download : download_container | Download image if required ------------------------------------------------------------------------------------------------------------------------- 9.71s
download : download_container | Download image if required ------------------------------------------------------------------------------------------------------------------------- 9.48s
download : download_container | Download image if required ------------------------------------------------------------------------------------------------------------------------- 8.02s
download : download_container | Download image if required ------------------------------------------------------------------------------------------------------------------------- 7.88s
etcd : wait for etcd up ------------------------------------------------------------------------------------------------------------------------------------------------------------ 7.16s
etcd : Gen_certs | Write etcd master certs ----------------------------------------------------------------------------------------------------------------------------------------- 6.39s
download : download_container | Download image if required ------------------------------------------------------------------------------------------------------------------------- 5.75s
download : download_container | Download image if required ------------------------------------------------------------------------------------------------------------------------- 5.53s
download : download_container | Download image if required ------------------------------------------------------------------------------------------------------------------------- 5.42s
download : download_container | Download image if required ------------------------------------------------------------------------------------------------------------------------- 5.41s
download : download_container | Download image if required ------------------------------------------------------------------------------------------------------------------------- 5.06s
download : download_container | Download image if required ------------------------------------------------------------------------------------------------------------------------- 4.87s
kubernetes-apps/ansible : Kubernetes Apps | Start Resources ------------------------------------------------------------------------------------------------------------------------ 4.78s

至此，kubernetes集羣環境部署完成，接下來簡單驗證一下環境是否可用；

檢查環境

1. ssh登陸a001機器；
2. 查看節點、service、pod：

[root@node1 ~]# kubectl get nodes
NAME    STATUS   ROLES    AGE   VERSION
node1   Ready    master   25m   v1.15.3
node2   Ready    master   23m   v1.15.3
node3   Ready    <none>   23m   v1.15.3
[root@node1 ~]# kubectl get services --all-namespaces
NAMESPACE     NAME                   TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)                  AGE
default       kubernetes             ClusterIP   10.233.0.1    <none>        443/TCP                  25m
kube-system   coredns                ClusterIP   10.233.0.3    <none>        53/UDP,53/TCP,9153/TCP   22m
kube-system   kubernetes-dashboard   ClusterIP   10.233.35.1   <none>        443/TCP                  22m
[root@node1 ~]# kubectl get pods --all-namespaces
NAMESPACE     NAME                                      READY   STATUS    RESTARTS   AGE
kube-system   calico-kube-controllers-c6fb79b8b-v24nq   1/1     Running   0          22m
kube-system   calico-node-46s8t                         1/1     Running   0          23m
kube-system   calico-node-mcjfs                         1/1     Running   0          23m
kube-system   calico-node-q989m                         1/1     Running   1          23m
kube-system   coredns-74c9d4d795-4xz6s                  1/1     Running   0          22m
kube-system   coredns-74c9d4d795-kh6vl                  1/1     Running   0          22m
kube-system   dns-autoscaler-7d95989447-gmcrl           1/1     Running   0          22m
kube-system   kube-apiserver-node1                      1/1     Running   0          24m
kube-system   kube-apiserver-node2                      1/1     Running   0          23m
kube-system   kube-controller-manager-node1             1/1     Running   0          24m
kube-system   kube-controller-manager-node2             1/1     Running   0          23m
kube-system   kube-proxy-2zhwn                          1/1     Running   0          23m
kube-system   kube-proxy-59qx8                          1/1     Running   0          23m
kube-system   kube-proxy-fgpx6                          1/1     Running   0          23m
kube-system   kube-scheduler-node1                      1/1     Running   0          24m
kube-system   kube-scheduler-node2                      1/1     Running   0          23m
kube-system   kubernetes-dashboard-7c547b4c64-x7nfq     1/1     Running   0          22m
kube-system   nginx-proxy-node3                         1/1     Running   0          23m
kube-system   nodelocaldns-8khfq                        1/1     Running   0          22m
kube-system   nodelocaldns-pzx2p                        1/1     Running   0          22m
kube-system   nodelocaldns-s5kcd                        1/1     Running   0          22m

訪問dashboard

dashboard能夠查看kubernetes系統的總體狀況，爲了訪問dashboard頁面，須要增長RBAC：

1. ssh登陸a001機器；
2. 執行如下命令，建立文件<font color="blue">admin-user.yaml</font>：

tee admin-user.yaml <<-'EOF'
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kube-system
EOF

1. 執行如下命令，建立文件<font color="blue">admin-user-role.yaml</font>：

tee admin-user-role.yaml <<-'EOF'
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kube-system
EOF

1. 建立ServiceAccount和ClusterRoleBinding：

kubectl create -f admin-user.yaml && kubectl create -f admin-user-role.yaml

1. 獲取token看，用於登陸dashboard頁面：

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

下圖紅框中就是token的內容：

1. 如今經過瀏覽器訪問dashboard頁面了，地址是：https://192.168.133.139:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ ，其中<font color="blue">192.168.133.139</font>是a001機器的IP地址，也能夠換成a002IP地址；
2. 因爲不是https協議，所以瀏覽器可能彈出安全提示，以下圖，選擇<font color="blue">繼續前往</font>：

1. 此時頁面會讓您選擇登陸方式，選擇<font color="blue">令牌</font>並輸入前面獲得的token，便可登陸：

1. 登陸成功後能夠見到系統信息，以下圖：

至此，kubespray2.11安裝kubernetes1.15完成，但願本文能給您一些參考。

歡迎關注公衆號：程序員欣宸