License: Attribution-NonCommercial-ShareAlike 4.0 International
本文出自 Suzf Blog。 如未注明,均为 SUZF.NET 原创。
Kubeadm 是一个提供了 `kubeadm init` 和 `kubeadm join` 的工具,作为创建 Kubernetes 集群的 “快捷途径” 的最佳实践。
kubeadm 通过执行必要的操作来启动和运行最小可用集群。按照设计,它只关注启动引导,而非配置机器。同样的,安装各种 “锦上添花” 的扩展,例如 Kubernetes Dashboard, 监控方案,以及特定云平台的扩展等。
测试环境:
CentOS Linux release 7.8.2003 (Core)
2C4G * 3
关闭 SELINUX & Iptables & swap
# 关闭防火墙
# systemctl stop firewalld && systemctl disable firewalld
# 关闭selinux
# setenforce 0 && sed -i 's/enforcing/disabled/' /etc/selinux/config
# 关闭swap
# swapoff -a && sed -ri 's/.*swap.*/#&/' /etc/fstab
# 设置主机名
$ hostnamectl set-hostname <hostname>
# 更新hosts
# cat >> /etc/hosts << EOF
10.20.30.101 k8s-master.suzf.net
10.20.30.102 k8s-node1.suzf.net
10.20.30.103 k8s-node2.suzf.net
EOF
# cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
# sysctl --system
# 安装Docker
# wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
# yum install -y docker-ce
# systemctl enable docker && systemctl start docker
# 配置refistry mirror
# cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}
EOF
# systemctl restart docker
# 安装 kubeadm kubelet kubectl
# cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
EOF
# yum install -y kubelet-1.19.0 kubeadm-1.19.0 kubectl-1.19.0
# systemctl enable kubelet
# 部署Kubernetes Master
https://kubernetes.io/zh/docs/reference/setup-tools/kubeadm/kubeadm-init/#config-file
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#initializing-your-control-plane-node
# 在kube-master上执行
# kubeadm init \
--apiserver-advertise-address=10.20.30.101 \
--image-repository registry.aliyuncs.com/google_containers \
--kubernetes-version v1.19.0 \
--service-cidr=10.96.0.0/12 \
--pod-network-cidr=10.244.0.0/16 \
--ignore-preflight-errors=all
# 或者使用配置文件引导
# cat kubeadm.conf
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.19.0
imageRepository: registry.aliyuncs.com/google_containers
networking:
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
# kubeadm init --config kubeadm.conf --ignore-preflight-errors=all
# 拷贝kubectl使用的连接k8s认证文件到默认路径
# mkdir -p $HOME/.kube
# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
# sudo chown $(id -u):$(id -g) $HOME/.kube/config
# kubectl get nodes
# 加入Kubernetes Node;在kube-node上执行。
# 向集群添加新节点,执行在kubeadm init输出的kubeadm join命令
# kubeadm join 10.20.30.101:6443 --token satafz.z1et5s272c9r1rcu \
--discovery-token-ca-cert-hash sha256:63fc747929bfffb5da2da38bca14cf300cd7fbd5332818f9a5e83c56780e5dc4
# 默认token有效期为24小时,当过期之后,该token就不可用了。这时就需要重新创建token,操作如下:
# kubeadm token create
# kubeadm token list
# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
63fc747929bfffb5da2da38bca14cf300cd7fbd5332818f9a5e83c56780e5dc4
# kubeadm join 10.20.30.101:6443 --token mg7nye.ckmrigo4ykjppf01 --discovery-token-ca-cert-hash sha256:63fc747929bfffb5da2da38bca14cf300cd7fbd5332818f9a5e83c56780e5dc4
# 或者直接命令快捷生成:kubeadm token create --print-join-command
# 相关链接 https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-join/
# 部署容器网络(CNI)
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#pod-network
注意:只需要部署下面其中一个,推荐Calico。
Calico是一个纯三层的数据中心网络方案,Calico支持广泛的平台,包括Kubernetes、OpenStack等。
Calico 在每一个计算节点利用 Linux Kernel 实现了一个高效的虚拟路由器( vRouter) 来负责数据转发,而每个 vRouter 通过 BGP 协议负责把自己上运行的 workload 的路由信息向整个 Calico 网络内传播。
此外,Calico 项目还实现了 Kubernetes 网络策略,提供ACL功能。
https://docs.projectcalico.org/getting-started/kubernetes/quickstart
# 下载calio.yaml修改里面定义Pod网络(CALICO_IPV4POOL_CIDR),与前面kubeadm init指定的一样
# curl -o calio.yaml https://docs.projectcalico.org/manifests/calico.yaml
# kubectl apply -f calico.yaml
# kubectl get pods -n kube-system
# 测试kubernetes集群
- 验证Pod工作
- 验证Pod网络
- 验证DNS解析
# 在Kubernetes集群中创建一个pod,验证是否正常运行:
# kubectl create deployment nginx --image=nginx
# kubectl expose deployment nginx --port=80 --type=NodePort
# kubectl get pod,svc
访问地址:http://NodeIP:Port
# Deploy Dashboard
# curl -o dashboard.yaml https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml
默认Dashboard只能集群内部访问,修改Service为NodePort类型,暴露到外部:
# vi dashboard.yaml
...
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30003
selector:
k8s-app: kubernetes-dashboard
...
# kubectl apply -f dashboard.yaml
# kubectl get pods -n kubernetes-dashboard
# 创建service account并绑定默认cluster-admin管理员集群角色:
# 创建用户
# kubectl create serviceaccount dashboard-admin -n kube-system
# 用户授权
# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
# 获取用户Token
# kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
# 获取 node
# kubectl get pods -n kubernetes-dashboard -o wide | grep ^dash | awk '{print $7}'
k8s-node2.suzf.net
# 测试 dashboard
访问地址:https://NodeIP:30001
使用输出的token登录Dashboard。