kubeadm一键搭建kubernetes环境
-
安装docker
按官网教程执行https://docs.docker.com/v17.09/engine/installation/linux/docker-ce/centos/#install-docker-ce-1
修改docker目录:docker默认目录为/var/lib/docker,可通过修改/usr/lib/systemd/system/docker.service指定目录。
service docker stop
vim /usr/lib/systemd/system/docker.service,找到ExecStart,增加 --graph /data1/docker 参数:ExecStart=/usr/bin/dockerd --graph /data1/docker
执行:service docker start
systemctl daemon-reload
可以删除原来的 /var/lib/docker 文件夹了
-
安装组件:
yum install -y kubelet kubeadm kubectl
-
关闭swap
swapoff -a
-
启动master(10.59.88.4)
kubeadm init --kubernetes-version=v1.9.3 --ignore-preflight-errors=Swap --pod-network-cidr=10.244.0.0/16
对于 POD Network 我们采用 Flannel,Flannel 默认设置的网段为 10.244.0.0./16,因此我们在 init 命令中使用 --pod-network-cidr=10.244.0.0/16 来指定
-
设置用户的 kubectl 环境
# 如果为 root 用户
$ export KUBECONFIG=/etc/kubernetes/admin.conf
# 如果是非root用户
$ mkdir -p $HOME/.kube
$ cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ chown $(id -u):$(id -g) $HOME/.kube/config
# 设置 kubectl补全
$ kubectl completion bash > ~/.kube/completion.bash.inc
$ cat ~/.bash_profile
.....
source ~/.kube/completion.bash.inc
.....
$ source ~/.bash_profile
#默认情况下 Master 节点不进行 Pod 调度,为了方便测试,我们可以通过以下命令让 Master 参与调度:
$ kubectl taint nodes --all node-role.kubernetes.io/master-
# Flannel 作为 Pod Network,默认网段已经通过 init 参数 --pod-network-cidr=10.244.0.0/16指定。
$ mkdir -p ~/k8s/
$ cd ~/k8s
$ wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
$ kubectl apply -f kube-flannel.yml
clusterrole "flannel" created
clusterrolebinding "flannel" created
serviceaccount "flannel" created
configmap "kube-flannel-cfg" created
daemonset "kube-flannel-ds" created |
-
初始化Nodes节点(10.59.88.5)
kubeadm join --token b74172.be4401beb112e39b 10.59.88.4:6443 --discovery-token-ca-cert-hash sha256:817200c3ea2ead62e393ef43dd140ff1c75642af8fc682a3be8d9392512bb464
其中 token 参数可由kubeadm token list 获得,如果token过期,可以用 kubeadm token create 重新生成一个新的。ip地址为刚才建立的master机器ip,端口默认6443 。
discovery-token-ca-cert-hash 为ca证书sha256编码hash值,可由以下命令获得:
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
在 Master 节点上产生证书并Copy Config到Node节点上:
$ ssh-keygen # 一路回车
$ ssh-copy-id root@10.59.88.5# copy 配置文件到 node2上
$ scp /etc/kubernetes/admin.conf root@10.59.88.5:/root/.kube/config
-
在master上接受node节点的证书
kubectl get csr 查看所有申请的证书,使用name执行以下命令接受证书: kubectl certificate approve node-csr-o62v-6Z934ZTNoiLK20yHEpcBy92INssB2zhTFmFmLQ
至此集群搭建成功。可使用 kubectl get nodes 查看节点,使用 kubectl cluster-info 查看集群信息。
安装过程中有任何问题,都可使用 kubeadm reset 重新开始。
-
DashBoard
$ wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.8.3/src/deploy/recommended/kubernetes-dashboard.yaml
#修改下载的kubernetes-dashboard.yaml
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort ##新增
ports:
- port: 443
targetPort: 8443
nodePort: 31080 #在上面添加了type: NodePort 之后,最好也设置该nodePort,否则K8S会在30000-32767之间随机选择一个端口,这样的话,我们得通过命令 kubectl get service --all-namespaces 才能找到dashboard对应的端口了
selector:
k8s-app: kubernetes-dashboard
$ kubectl create -f kubernetes-dashboard.yaml
# kubernetes-dashboard.yaml文件中的ServiceAccount kubernetes-dashboard只有相对较小的权限,因此创建一个kubernetes-dashboard-admin的ServiceAccount并授予集群admin的权限
$ cat kubernetes-dashboard-admin.rbac.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-admin
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard-admin
namespace: kube-system
$ kubectl create -f kubernetes-dashboard-admin.rbac.yaml
serviceaccount "kubernetes-dashboard-admin" created
clusterrolebinding "kubernetes-dashboard-admin" created
$ kubectl -n kube-system get secret | grep kubernetes-dashboard-admin
kubernetes-dashboard-admin-token-f2895 kubernetes.io/service-account-token 3 13m
$ kubectl describe secrets kubernetes-dashboard-admin-token-f2895 -n kube-system
Name: kubernetes-dashboard-admin-token-f2895
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name=kubernetes-dashboard-admin
kubernetes.io/service-account.uid=84f8c734-4a0d-11e9-bad5-ecf4bbd474e0
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbi10b2tlbi1mMjg5NSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijg0ZjhjNzM0LTRhMGQtMTFlOS1iYWQ1LWVjZjRiYmQ0NzRlMCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiJ9.X6hcIcNWp_cnWpEA6I8pcrEcGOb626bo2CbTDqUxLQfeD5cpkbGp10WLvrZrtMQMb4uwIZdHfcxYtoiuNwdb6LQCmeGS0k-SFibXwRijkRE1yWdVfAt60InFwCkJajAziGe8ZLqmAJVfTeRwe8l0KbBz-WCLuQ5HCZRyDmUDJhipZQLAe_jiiwVt3y43EaavgnsafzTYS3jLavaTW7KTlFmmsu1LFNmLkIhsKzvNQXsx7nu5-yvMjmn39VWDUicUER9BI0hLitQw7KLDQ8c1-SErKSzlt9YDFqZK1tPyNJgLtferAZILQf4IligZwvP-Qs0kOdWk--pb11oB7QZlxA
访问:https://10.59.88.4:31080 ,输入这里的token。
注:默认开启的dashboard是 https,并且需要登录验证。因为证书问题,内部开发用起来有点麻烦。可以通过修改yml,关闭验证,并把内部 9090 端口映射出来,直接提供http服务。 |
参考:http://www.do1618.com/archives/1164/
http://peimc-smp.paic.com.cn:8080/peimcnl/webIm/index.html