02-k8s环境部署(生产环境使用kubelet1.16.2)
k8s环境部署文章目录k8s环境部署环境准备安装 docker / kubelet初始化API Server创建 ApiServer 的 Load Balancer(私网)初始化第一个master节点初始化第二、三个master节点方式一:和第一个Master节点一起初始化(两小时内)方式二:第一个Master节点初始化2个小时后再初始化获得 certificate key获得 join 命令初始
k8s环境部署
文章目录
环境准备
检查系统版本和主机名
# 在master 节点和 worker 节点都要执行
cat /etc/redhat-release
# 此处 hostname 的输出将会是该机器在 Kubernetes 集群中的节点名字
hostname
# 修改 hostname
hostnamectl set-hostname your-new-host-name
# 查看修改结果
hostnamectl status
# 设置 hostname 解析
echo "127.0.0.1 $(hostname)" >> /etc/hosts
检查网络
#在所有节点执行命令
[root@k8s-master01 ~]# ip route show
default via 192.168.1.1 dev ens32 proto static metric 100
192.168.1.0/24 dev ens32 proto kernel scope link src 192.168.1.20 metric 100
[root@k8s-master01 ~]# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:45:de:35 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.20/24 brd 192.168.1.255 scope global noprefixroute ens32
valid_lft forever preferred_lft forever
inet6 fe80::a4dc:eb6e:1a5e:f979/64 scope link tentative noprefixroute dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::3da2:dfff:2f79:82ed/64 scope link tentative noprefixroute dadfailed
valid_lft forever preferred_lft forever
inet6 fe80::5e01:56c4:a44b:ee66/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@k8s-master01 ~]#
kubelet使用的IP地址
-
ip route show
命令中,可以知道机器的默认网卡,通常是eth0
或ens32
,如 default via 192.168.1.1 dev ens32 -
ip address
命令中,可显示默认网卡的 IP 地址,Kubernetes 将使用此 IP 地址与集群内的其他节点通信,如192.168.1.20
-
所有节点上 Kubernetes 所使用的 IP 地址必须可以互通(无需 NAT 映射、无安全组或防火墙隔离)
安装 docker / kubelet
系统环境:
1、任意节点centos版本为7.6或7.7;
2、CPU内核数大于等于2,内存大于等于4G;
3、hostname不是localhost,切不包含斜划线、小数点、大写字母;
4、每个节点配置固定的IP地址,只有一块网卡(如果有特殊目的,可以在完成 K8S 安装后再增加新的网卡)
5、所有节点IP地址互通(没有NAT映射即可访问),没有防火墙,安全组隔离、黑名单
6、不在任意节点直接使用docker run或docker-compose运行容器
所有节点需要用root身份在所有节点执行以下代码,安装软件:docker、nfs-util、kubectl/kubeadm/kubelet
#!/bin/bash
# 在 master 节点和 worker 节点都要执行
# 安装 docker
# 参考文档如下
# https://docs.docker.com/install/linux/docker-ce/centos/
# https://docs.docker.com/install/linux/linux-postinstall/
# 卸载旧版本
yum remove -y docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine-selinux \
docker-engine
# 设置 yum repository
yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 安装并启动 docker
yum install -y docker-ce-18.09.7 docker-ce-cli-18.09.7 containerd.io
systemctl enable docker
systemctl start docker
# 安装 nfs-utils
# 必须先安装 nfs-utils 才能挂载 nfs 网络存储
yum install -y nfs-utils
yum install -y wget
# 关闭 防火墙
systemctl stop firewalld
systemctl disable firewalld
# 关闭 SeLinux
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
# 关闭 swap
swapoff -a
yes | cp /etc/fstab /etc/fstab_bak
cat /etc/fstab_bak |grep -v swap > /etc/fstab
# 修改 /etc/sysctl.conf
# 如果有配置,则修改
sed -i "s#^net.ipv4.ip_forward.*#net.ipv4.ip_forward=1#g" /etc/sysctl.conf
sed -i "s#^net.bridge.bridge-nf-call-ip6tables.*#net.bridge.bridge-nf-call-ip6tables=1#g" /etc/sysctl.conf
sed -i "s#^net.bridge.bridge-nf-call-iptables.*#net.bridge.bridge-nf-call-iptables=1#g" /etc/sysctl.conf
# 可能没有,追加
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
echo "net.bridge.bridge-nf-call-ip6tables = 1" >> /etc/sysctl.conf
echo "net.bridge.bridge-nf-call-iptables = 1" >> /etc/sysctl.conf
# 执行命令以应用
sysctl -p
# 配置K8S的yum源
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
# 卸载旧版本
yum remove -y kubelet kubeadm kubectl
# 安装kubelet、kubeadm、kubectl
yum install -y kubelet-1.16.2 kubeadm-1.16.2 kubectl-1.16.2
# 修改docker Cgroup Driver为systemd
# # 将/usr/lib/systemd/system/docker.service文件中的这一行 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
# # 修改为 ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --exec-opt native.cgroupdriver=systemd
# 如果不修改,在添加 worker 节点时可能会碰到如下错误
# [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd".
# Please follow the guide at https://kubernetes.io/docs/setup/cri/
sed -i "s#^ExecStart=/usr/bin/dockerd.*#ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --exec-opt native.cgroupdriver=systemd#g" /usr/lib/systemd/system/docker.service
# 设置 docker 镜像,提高 docker 镜像下载速度和稳定性
# 如果您访问 https://hub.docker.io 速度非常稳定,亦可以跳过这个步骤
curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io
# 重启 docker,并启动 kubelet
systemctl daemon-reload
systemctl restart docker
systemctl enable kubelet && systemctl start kubelet
docker version
注意:此脚本安装docker版本docker-ce-18.09,kubeadm版本kubeadm-1.16.2。如果此时执行 service status kubelet
命令,将得到 kubelet 启动失败的错误提示,请忽略此错误,因为必须完成后续步骤中 kubeadm init 的操作,kubelet 才能正常启动。
初始化API Server
创建 ApiServer 的 Load Balancer(私网)
监听端口:6443 / TCP
后端资源组:包含 k8s-master01, k8s-master02, k8s-master-03
后端端口:6443
开启 按源地址保持会话
假设完成创建以后,Load Balancer的 ip 地址为 192.168.1.10,此处试用的是keepalive+haproxy,使用16643端口负载均衡到6443端口,可参考部署文档keepalive+haproxy
根据每个人实际的情况不同,实现 LoadBalancer 的方式不一样,本文不详细阐述如何搭建 LoadBalancer,请读者自行解决,可以考虑的选择有:
- nginx
- haproxy
- keepalived
- 云供应商提供的负载均衡产品
初始化第一个master节点
- 以 root 身份在 k8s-master01 机器上执行
- 初始化 master 节点时,如果因为中间某些步骤的配置出错,想要重新初始化 master 节点,请先执行
kubeadm reset
操作
关于初始化时用到的环境变量
- APISERVER_NAME 不能是 master 的 hostname
- APISERVER_NAME 必须全为小写字母、数字、小数点,不能包含减号
- POD_SUBNET 所使用的网段不能与 master节点/worker节点 所在的网段重叠。该字段的取值为一个 CIDR 值,如果您对 CIDR 这个概念还不熟悉,请不要修改这个字段的取值 10.100.0.1/16
# 只在第一个 master 节点执行
# 替换 apiserver.demo 为 您想要的 dnsName
export APISERVER_NAME=apiserver.demo
# Kubernetes 容器组所在的网段,该网段安装完成后,由 kubernetes 创建,事先并不存在于您的物理网络中
export POD_SUBNET=10.100.0.1/16
echo "127.0.0.1 ${APISERVER_NAME}" >> /etc/hosts
#!/bin/bash
# 只在 master 节点执行
# 脚本出错时终止执行
set -e
if [ ${#POD_SUBNET} -eq 0 ] || [ ${#APISERVER_NAME} -eq 0 ]; then
echo -e "\033[31;1m请确保您已经设置了环境变量 POD_SUBNET 和 APISERVER_NAME \033[0m"
echo 当前POD_SUBNET=$POD_SUBNET
echo 当前APISERVER_NAME=$APISERVER_NAME
exit 1
fi
# 查看完整配置选项 https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2
rm -f ./kubeadm-config.yaml
cat <<EOF > ./kubeadm-config.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.16.2
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
controlPlaneEndpoint: "${APISERVER_NAME}:16443"
networking:
serviceSubnet: "10.96.0.0/16"
podSubnet: "${POD_SUBNET}"
dnsDomain: "cluster.local"
EOF
# kubeadm init
# 根据您服务器网速的情况,您需要等候 3 - 10 分钟
kubeadm init --config=kubeadm-config.yaml --upload-certs
# 配置 kubectl
rm -rf /root/.kube/
mkdir /root/.kube/
cp -i /etc/kubernetes/admin.conf /root/.kube/config
# 安装 calico 网络插件
# 参考文档 https://docs.projectcalico.org/v3.9/getting-started/kubernetes/
rm -f calico-3.9.2.yaml
wget https://kuboard.cn/install-script/calico/calico-3.9.2.yaml
sed -i "s#192\.168\.0\.0/16#${POD_SUBNET}#" calico-3.9.2.yaml
kubectl apply -f calico-3.9.2.yaml
执行结果
执行结果中:
- 第15、16、17行,用于初始化第二、三个 master 节点
- 第25、26行,用于初始化 worker 节点
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of the control-plane node running the following command on each as root:
kubeadm join apiserver.demo:16443 --token 4ix1k1.l8wg8pq9cnrm9fkd \
--discovery-token-ca-cert-hash sha256:cd2d7833513e58dc2eae952e674b2903d4f884d86fd47b00784d56aeeed2dcde \
--control-plane --certificate-key a549d21b53274b479e89b45d0a1d93799d70b385430290fbfccea9376b5f59ee
Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join apiserver.demo:16443 --token 4ix1k1.l8wg8pq9cnrm9fkd \
--discovery-token-ca-cert-hash sha256:cd2d7833513e58dc2eae952e674b2903d4f884d86fd47b00784d56aeeed2dcde
检查 master 初始化结果
# 只在第一个 master 节点执行
# 执行如下命令,等待 3-10 分钟,直到所有的容器组处于 Running 状态
watch kubectl get pod -n kube-system -o wide
# 查看 master 节点初始化结果
[root@k8s-master01 k8s]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master01 Ready master 7m4s v1.16.2
注意:请等到所有容器组(大约9个)全部处于 Running 状态,才进行下一步
初始化第二、三个master节点
获得 master 节点的 join 命令
可以和第一个Master节点一起初始化第二、三个Master节点,也可以从单Master节点调整过来,只需要
- 增加Master的 LoadBalancer
- 将所有节点的 /etc/hosts 文件中 apiserver.demo 解析为 LoadBalancer 的地址
- 添加第二、三个Master节点
- 初始化 master 节点的 token 有效时间为 2 小时
方式一:和第一个Master节点一起初始化(两小时内)
初始化第一个 master 节点时的输出内容中,第15、16、17行就是用来初始化第二、三个 master 节点的命令,如下所示:此时请不要执行该命令
kubeadm join apiserver.demo:16443 --token 4ix1k1.l8wg8pq9cnrm9fkd \
--discovery-token-ca-cert-hash sha256:cd2d7833513e58dc2eae952e674b2903d4f884d86fd47b00784d56aeeed2dcde \
--control-plane --certificate-key a549d21b53274b479e89b45d0a1d93799d70b385430290fbfccea9376b5f59ee
初始化第二、三个 master 节点
在 k8s-master02 和 k8s-master03 机器上执行
# 只在第二、三个 master 节点 k8s-master02 和 k8s-master03 执行
# 替换 192.168.1.10 为 ApiServer LoadBalancer 的 IP 地址
[root@k8s-master02 ~]# export APISERVER_IP=192.168.1.10
# 替换 apiserver.demo 为 前面已经使用的 dnsName
[root@k8s-master02 ~]# export APISERVER_NAME=apiserver.demo
[root@k8s-master02 ~]# echo "${APISERVER_IP} ${APISERVER_NAME}" >> /etc/hosts
# 使用前面步骤中获得的第二、三个 master 节点的 join 命令
[root@k8s-master02 ~]# kubeadm join apiserver.demo:16443 --token 4ix1k1.l8wg8pq9cnrm9fkd \
--discovery-token-ca-cert-hash sha256:cd2d7833513e58dc2eae952e674b2903d4f884d86fd47b00784d56aeeed2dcde \
--control-plane --certificate-key a549d21b53274b479e89b45d0a1d93799d70b385430290fbfccea9376b5f59ee
常见问题
如果一直停留在 pre-flight 状态,请在第二、三个节点上执行命令检查:
[root@k8s-master02 ~]# curl -ik https://apiserver.demo:16443/version
输出结果应该如下所示
HTTP/1.1 200 OK
Cache-Control: no-cache, private
Content-Type: application/json
Date: Wed, 30 Oct 2019 08:13:39 GMT
Content-Length: 263
{
"major": "1",
"minor": "16",
"gitVersion": "v1.16.2",
"gitCommit": "2bd9643cee5b3b3a5ecbd3af49d09018f0773c77",
"gitTreeState": "clean",
"buildDate": "2019-09-18T14:27:17Z",
"goVersion": "go1.12.9",
"compiler": "gc",
"platform": "linux/amd64"
}
否则,请您检查一下您的 Loadbalancer 是否设置正确
检查 master 初始化结果
# 只在第一个 master 节点 k8s-master01 执行
# 查看 master 节点初始化结果
[root@k8s-master01 k8s]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master01 Ready master 12m v1.16.2
k8s-master02 Ready master 7m27s v1.16.2
k8s-master03 Ready master 2m14s v1.16.2
[root@k8s-master01 k8s]#
方式二:第一个Master节点初始化2个小时后再初始化
获得 certificate key
在 k8s-master01 上执行
# 只在 第一个 master 节点 k8s-master01 上执行
[root@k8s-master01 ~]# kubeadm init phase upload-certs --upload-certs
输出结果如下:
[root@k8s-master01 ~]# kubeadm init phase upload-certs --upload-certs
W0902 09:05:28.355623 1046 version.go:98] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.txt": Get https://dl.k8s.io/release/stable-1.txt: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
W0902 09:05:28.355718 1046 version.go:99] falling back to the local client version: v1.16.2
[upload-certs] Storing the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace
[upload-certs] Using certificate key:
70eb87e62f052d2d5de759969d5b42f372d0ad798f98df38f7fe73efdf63a13c
获得 join 命令
在 k8s-master01 上执行
# 只在 第一个 master 节点 k8s-master01 上执行
[root@k8s-master01 ~]#kubeadm token create --print-join-command
输出结果如下:
[root@k8s-master01 ~]# kubeadm token create --print-join-command
kubeadm join apiserver.demo:6443 --token bl80xo.hfewon9l5jlpmjft --discovery-token-ca-cert-hash sha256:b4d2bed371fe4603b83e7504051dcfcdebcbdcacd8be27884223c4ccc13059a4
则,第二、三个 master 节点的 join 命令如下:
- 命令行中,蓝色部分来自于前面获得的 join 命令,红色部分来自于前面获得的 certificate key
kubeadm join apiserver.demo:6443 --token ejwx62.vqwog6il5p83uk7y
–discovery-token-ca-cert-hash sha256:6f7a8e40a810323672de5eee6f4d19aa2dbdb38411845a1bf5dd63485c43d303
–control-plane --certificate-key 70eb87e62f052d2d5de759969d5b42f372d0ad798f98df38f7fe73efdf63a13c
初始化第二、三个 master 节点
在 k8s-master02 和k8s-master03 机器上执行
# 只在第二、三个 master 节点 k8s-master02 和 k8s-master03 执行
# 替换 192.168.1.10 为 ApiServer LoadBalancer 的 IP 地址
[root@k8s-master02 ~]# export APISERVER_IP=192.168.1.10
# 替换 apiserver.demo 为 前面已经使用的 dnsName
[root@k8s-master02 ~]# export APISERVER_NAME=apiserver.demo
[root@k8s-master02 ~]# echo "${APISERVER_IP} ${APISERVER_NAME}" >> /etc/hosts
# 使用前面步骤中获得的第二、三个 master 节点的 join 命令
[root@k8s-master02 ~]# kubeadm join apiserver.demo:16443 --token ejwx62.vqwog6il5p83uk7y \
--discovery-token-ca-cert-hash sha256:6f7a8e40a810323672de5eee6f4d19aa2dbdb38411845a1bf5dd63485c43d303 \
--control-plane --certificate-key 70eb87e62f052d2d5de759969d5b42f372d0ad798f98df38f7fe73efdf63a13c
常见问题
如果一直停留在 pre-flight 状态,请在第二、三个节点上执行命令检查:
[root@k8s-master02 ~]# curl -ik https://apiserver.demo:16443/version
输出结果应该如下所示
HTTP/1.1 200 OK
Cache-Control: no-cache, private
Content-Type: application/json
Date: Wed, 30 Oct 2019 08:13:39 GMT
Content-Length: 263
{
"major": "1",
"minor": "16",
"gitVersion": "v1.16.2",
"gitCommit": "2bd9643cee5b3b3a5ecbd3af49d09018f0773c77",
"gitTreeState": "clean",
"buildDate": "2019-09-18T14:27:17Z",
"goVersion": "go1.12.9",
"compiler": "gc",
"platform": "linux/amd64"
}
否则,请您检查一下您的 Loadbalancer 是否设置正确
检查 master 初始化结果
# 只在第一个 master 节点 k8s-master01 执行
# 查看 master 节点初始化结果
[root@k8s-master01 ~]# kubectl get nodes
初始化 worker节点
方式一:和第一个Master节点一起初始化(k8s-mstaer01初始化两个小时内)
初始化第一个 master 节点时的输出内容中,第25、26行就是用来初始化 worker 节点的命令,如下所示:此时请不要执行该命令
kubeadm join apiserver.demo:16443 --token 4ix1k1.l8wg8pq9cnrm9fkd \
--discovery-token-ca-cert-hash sha256:cd2d7833513e58dc2eae952e674b2903d4f884d86fd47b00784d56aeeed2dcde
有效时间
该 token 的有效时间为 2 个小时,2小时内,您可以使用此 token 初始化任意数量的 worker 节点。
初始化worker
针对所有的 worker 节点执行
# 只在 worker 节点执行(k8s-node01、k8s-node02)
# 替换 192.168.1.10 为 ApiServer LoadBalancer 的 IP 地址
export MASTER_IP=192.168.1.10
# 替换 apiserver.demo 为初始化 master 节点时所使用的 APISERVER_NAME
export APISERVER_NAME=apiserver.demo
echo "${MASTER_IP} ${APISERVER_NAME}" >> /etc/hosts
# 替换为前面 kubeadm token create --print-join-command 的输出结果
kubeadm join apiserver.demo:16443 --token 4ix1k1.l8wg8pq9cnrm9fkd \
--discovery-token-ca-cert-hash sha256:cd2d7833513e58dc2eae952e674b2903d4f884d86fd47b00784d56aeeed2dcde
方式一:和第一个Master节点一起初始化(k8s-mstaer01初始化两个小时内)
重新获取token
在第一个 master 节点 k8s-master 节点执行
# 只在第一个 master 节点 k8s-master01 上执行
[root@k8s-master01 ~]# kubeadm token create --print-join-command
可获取kubeadm join 命令及参数,如下所示
kubeadm join apiserver.demo:6443 --token mpfjma.4vjjg8flqihor4vt --discovery-token-ca-cert-hash sha256:6f7a8e40a810323672de5eee6f4d19aa2dbdb38411845a1bf5dd63485c43d303
有效时间
该 token 的有效时间为 2 个小时,2小时内,您可以使用此 token 初始化任意数量的 worker 节点。
初始化worker
针对所有的 worker 节点执行
# 只在 worker 节点执行
# 替换 192.168.1.10 为 ApiServer LoadBalancer 的 IP 地址
[root@k8s-node01 ~]# export MASTER_IP=192.168.1.10
# 替换 apiserver.demo 为初始化 master 节点时所使用的 APISERVER_NAME
[root@k8s-node01 ~]# export APISERVER_NAME=apiserver.demo
[root@k8s-node01 ~]# echo "${MASTER_IP} ${APISERVER_NAME}" >> /etc/hosts
# 替换为前面 kubeadm token create --print-join-command 的输出结果
[root@k8s-node01 ~]# kubeadm join apiserver.demo:16443 --token mpfjma.4vjjg8flqihor4vt --discovery-token-ca-cert-hash sha256:6f7a8e40a810323672de5eee6f4d19aa2dbdb38411845a1bf5dd63485c43d303
检查 worker 初始化结果
在第一个master节点 k8s-master01 上执行
# 只在第一个 master 节点 k8s-master01 上执行
[root@k8s-master01 k8s]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master01 Ready master 47m v1.16.2
k8s-master02 Ready master 42m v1.16.2
k8s-master03 Ready master 37m v1.16.2
k8s-node01 Ready <none> 3m29s v1.16.2
[root@k8s-master01 k8s]#
移除 worker 节点
WARNING 正常情况下,您无需移除 worker 节点
在准备移除的 worker 节点上执行
[root@k8s-node01 ~]# kubeadm reset
在第一个 master 节点k8s-master01 上执行
[root@k8s-master01 ~]# kubectl delete node k8s-nodex
- 将 k8s-nodex 替换为要移除的 worker 节点的名字
- worker 节点的名字可以通过在第一个 master 节点 k8s-master01 上执行 kubectl get nodes 命令获得
安装 Ingress Controller
kubernetes支持多种Ingress Controllers (traefic / Kong / Istio / Nginx 等),本文推荐使用 https://github.com/nginxinc/kubernetes-ingress
# 如果打算用于生产环境,请参考 https://github.com/nginxinc/kubernetes-ingress/blob/v1.5.5/docs/installation.md 并根据您自己的情况做进一步定制
#也可以直接下载https://kuboard.cn/install-script/v1.16.2/nginx-ingress.yaml
apiVersion: v1
kind: Namespace
metadata:
name: nginx-ingress
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress
namespace: nginx-ingress
---
apiVersion: v1
kind: Secret
metadata:
name: default-server-secret
namespace: nginx-ingress
type: Opaque
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2akNDQWFZQ0NRREFPRjl0THNhWFhEQU5CZ2txaGtpRzl3MEJBUXNGQURBaE1SOHdIUVlEVlFRRERCWk8KUjBsT1dFbHVaM0psYzNORGIyNTBjbTlzYkdWeU1CNFhEVEU0TURreE1qRTRNRE16TlZvWERUSXpNRGt4TVRFNApNRE16TlZvd0lURWZNQjBHQTFVRUF3d1dUa2RKVGxoSmJtZHlaWE56UTI5dWRISnZiR3hsY2pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwvN2hIUEtFWGRMdjNyaUM3QlBrMTNpWkt5eTlyQ08KR2xZUXYyK2EzUDF0azIrS3YwVGF5aGRCbDRrcnNUcTZzZm8vWUk1Y2Vhbkw4WGM3U1pyQkVRYm9EN2REbWs1Qgo4eDZLS2xHWU5IWlg0Rm5UZ0VPaStlM2ptTFFxRlBSY1kzVnNPazFFeUZBL0JnWlJVbkNHZUtGeERSN0tQdGhyCmtqSXVuektURXUyaDU4Tlp0S21ScUJHdDEwcTNRYzhZT3ExM2FnbmovUWRjc0ZYYTJnMjB1K1lYZDdoZ3krZksKWk4vVUkxQUQ0YzZyM1lma1ZWUmVHd1lxQVp1WXN2V0RKbW1GNWRwdEMzN011cDBPRUxVTExSakZJOTZXNXIwSAo1TmdPc25NWFJNV1hYVlpiNWRxT3R0SmRtS3FhZ25TZ1JQQVpQN2MwQjFQU2FqYzZjNGZRVXpNQ0F3RUFBVEFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWpLb2tRdGRPcEsrTzhibWVPc3lySmdJSXJycVFVY2ZOUitjb0hZVUoKdGhrYnhITFMzR3VBTWI5dm15VExPY2xxeC9aYzJPblEwMEJCLzlTb0swcitFZ1U2UlVrRWtWcitTTFA3NTdUWgozZWI4dmdPdEduMS9ienM3bzNBaS9kclkrcUI5Q2k1S3lPc3FHTG1US2xFaUtOYkcyR1ZyTWxjS0ZYQU80YTY3Cklnc1hzYktNbTQwV1U3cG9mcGltU1ZmaXFSdkV5YmN3N0NYODF6cFErUyt1eHRYK2VBZ3V0NHh3VlI5d2IyVXYKelhuZk9HbWhWNThDd1dIQnNKa0kxNXhaa2VUWXdSN0diaEFMSkZUUkk3dkhvQXprTWIzbjAxQjQyWjNrN3RXNQpJUDFmTlpIOFUvOWxiUHNoT21FRFZkdjF5ZytVRVJxbStGSis2R0oxeFJGcGZnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdi91RWM4b1JkMHUvZXVJTHNFK1RYZUprckxMMnNJNGFWaEMvYjVyYy9XMlRiNHEvClJOcktGMEdYaVN1eE9ycXgrajlnamx4NXFjdnhkenRKbXNFUkJ1Z1B0ME9hVGtIekhvb3FVWmcwZGxmZ1dkT0EKUTZMNTdlT1l0Q29VOUZ4amRXdzZUVVRJVUQ4R0JsRlNjSVo0b1hFTkhzbysyR3VTTWk2Zk1wTVM3YUhudzFtMApxWkdvRWEzWFNyZEJ6eGc2clhkcUNlUDlCMXl3VmRyYURiUzc1aGQzdUdETDU4cGszOVFqVUFQaHpxdmRoK1JWClZGNGJCaW9CbTVpeTlZTW1hWVhsMm0wTGZzeTZuUTRRdFFzdEdNVWozcGJtdlFmazJBNnljeGRFeFpkZFZsdmwKMm82MjBsMllxcHFDZEtCRThCay90elFIVTlKcU56cHpoOUJUTXdJREFRQUJBb0lCQVFDZklHbXowOHhRVmorNwpLZnZJUXQwQ0YzR2MxNld6eDhVNml4MHg4Mm15d1kxUUNlL3BzWE9LZlRxT1h1SENyUlp5TnUvZ2IvUUQ4bUFOCmxOMjRZTWl0TWRJODg5TEZoTkp3QU5OODJDeTczckM5bzVvUDlkazAvYzRIbjAzSkVYNzZ5QjgzQm9rR1FvYksKMjhMNk0rdHUzUmFqNjd6Vmc2d2szaEhrU0pXSzBwV1YrSjdrUkRWYmhDYUZhNk5nMUZNRWxhTlozVDhhUUtyQgpDUDNDeEFTdjYxWTk5TEI4KzNXWVFIK3NYaTVGM01pYVNBZ1BkQUk3WEh1dXFET1lvMU5PL0JoSGt1aVg2QnRtCnorNTZud2pZMy8yUytSRmNBc3JMTnIwMDJZZi9oY0IraVlDNzVWYmcydVd6WTY3TWdOTGQ5VW9RU3BDRkYrVm4KM0cyUnhybnhBb0dCQU40U3M0ZVlPU2huMVpQQjdhTUZsY0k2RHR2S2ErTGZTTXFyY2pOZjJlSEpZNnhubmxKdgpGenpGL2RiVWVTbWxSekR0WkdlcXZXaHFISy9iTjIyeWJhOU1WMDlRQ0JFTk5jNmtWajJTVHpUWkJVbEx4QzYrCk93Z0wyZHhKendWelU0VC84ajdHalRUN05BZVpFS2FvRHFyRG5BYWkyaW5oZU1JVWZHRXFGKzJyQW9HQkFOMVAKK0tZL0lsS3RWRzRKSklQNzBjUis3RmpyeXJpY05iWCtQVzUvOXFHaWxnY2grZ3l4b25BWlBpd2NpeDN3QVpGdwpaZC96ZFB2aTBkWEppc1BSZjRMazg5b2pCUmpiRmRmc2l5UmJYbyt3TFU4NUhRU2NGMnN5aUFPaTVBRHdVU0FkCm45YWFweUNweEFkREtERHdObit3ZFhtaTZ0OHRpSFRkK3RoVDhkaVpBb0dCQUt6Wis1bG9OOTBtYlF4VVh5YUwKMjFSUm9tMGJjcndsTmVCaWNFSmlzaEhYa2xpSVVxZ3hSZklNM2hhUVRUcklKZENFaHFsV01aV0xPb2I2NTNyZgo3aFlMSXM1ZUtka3o0aFRVdnpldm9TMHVXcm9CV2xOVHlGanIrSWhKZnZUc0hpOGdsU3FkbXgySkJhZUFVWUNXCndNdlQ4NmNLclNyNkQrZG8wS05FZzFsL0FvR0FlMkFVdHVFbFNqLzBmRzgrV3hHc1RFV1JqclRNUzRSUjhRWXQKeXdjdFA4aDZxTGxKUTRCWGxQU05rMXZLTmtOUkxIb2pZT2pCQTViYjhibXNVU1BlV09NNENoaFJ4QnlHbmR2eAphYkJDRkFwY0IvbEg4d1R0alVZYlN5T294ZGt5OEp0ek90ajJhS0FiZHd6NlArWDZDODhjZmxYVFo5MWpYL3RMCjF3TmRKS2tDZ1lCbyt0UzB5TzJ2SWFmK2UwSkN5TGhzVDQ5cTN3Zis2QWVqWGx2WDJ1VnRYejN5QTZnbXo5aCsKcDNlK2JMRUxwb3B0WFhNdUFRR0xhUkcrYlNNcjR5dERYbE5ZSndUeThXczNKY3dlSTdqZVp2b0ZpbmNvVlVIMwphdmxoTUVCRGYxSjltSDB5cDBwWUNaS2ROdHNvZEZtQktzVEtQMjJhTmtsVVhCS3gyZzR6cFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-config
namespace: nginx-ingress
data:
server-names-hash-bucket-size: "1024"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: nginx-ingress
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- list
- watch
- get
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- k8s.nginx.org
resources:
- virtualservers
- virtualserverroutes
verbs:
- list
- watch
- get
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: nginx-ingress
subjects:
- kind: ServiceAccount
name: nginx-ingress
namespace: nginx-ingress
roleRef:
kind: ClusterRole
name: nginx-ingress
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: nginx-ingress
namespace: nginx-ingress
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9113"
spec:
selector:
matchLabels:
app: nginx-ingress
template:
metadata:
labels:
app: nginx-ingress
spec:
serviceAccountName: nginx-ingress
containers:
- image: nginx/nginx-ingress:1.5.5
name: nginx-ingress
ports:
- name: http
containerPort: 80
hostPort: 80
- name: https
containerPort: 443
hostPort: 443
- name: prometheus
containerPort: 9113
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
args:
- -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
#- -v=3 # Enables extensive logging. Useful for troubleshooting.
#- -report-ingress-status
#- -external-service=nginx-ingress
#- -enable-leader-election
- -enable-prometheus-metrics
#- -enable-custom-resources
在 master 节点上执行
# 只在第一个 master 节点 k8s-master01上执行
[root@k8s-master01 ~]# kubectl apply -f nginx-ingress.yaml
WARNING如果您打算将 Kubernetes 用于生产环境,请参考此文档 Installing Ingress Controller,完善 Ingress 的配置
在 IaaS 层完成如下配置(公网Load Balancer)
创建负载均衡 Load Balancer:
- 监听器 1:80 / TCP, SOURCE_ADDRESS 会话保持
- 服务器资源池 1: demo-worker-x-x 的所有节点的 80端口
- 监听器 2:443 / TCP, SOURCE_ADDRESS 会话保持
- 服务器资源池 2: demo-worker-x-x 的所有节点的443端口
假设刚创建的负载均衡 Load Balancer 的 IP 地址为: 192.168.1.10
配置域名解析
将域名 *.demo.yourdomain.com 解析到地址负载均衡服务器 的 IP 地址192.168.1.10
验证配置
在浏览器访问 a.demo.yourdomain.com,将得到 404 NotFound 错误页面
Metrics-Server部署
kubernetes中系统资源采集使用的是Metrics-server,可以通过metrics采集节点和Pod的内存、磁盘、CPU和网络的使用率等。
获取metrics-server.yaml
#获取地址https://addons.kuboard.cn/metrics-server/0.3.6/metrics-server.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:aggregated-metrics-reader
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metrics-server:system:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: metrics-server-auth-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:metrics-server
rules:
- apiGroups:
- ""
resources:
- pods
- nodes
- nodes/stats
- namespaces
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:metrics-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:metrics-server
subjects:
- kind: ServiceAccount
name: metrics-server
namespace: kube-system
---
apiVersion: apiregistration.k8s.io/v1beta1
kind: APIService
metadata:
name: v1beta1.metrics.k8s.io
spec:
service:
name: metrics-server
namespace: kube-system
group: metrics.k8s.io
version: v1beta1
insecureSkipTLSVerify: true
groupPriorityMinimum: 100
versionPriority: 100
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: metrics-server
namespace: kube-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: metrics-server
namespace: kube-system
labels:
k8s-app: metrics-server
spec:
selector:
matchLabels:
k8s-app: metrics-server
template:
metadata:
name: metrics-server
labels:
k8s-app: metrics-server
spec:
serviceAccountName: metrics-server
volumes:
# mount in tmp so we can safely use from-scratch images and/or read-only containers
- name: tmp-dir
emptyDir: {}
hostNetwork: true
containers:
- name: metrics-server
image: registry.cn-hangzhou.aliyuncs.com/google_containers/metrics-server-amd64:v0.3.6
# command:
# - /metrics-server
# - --kubelet-insecure-tls
# - --kubelet-preferred-address-types=InternalIP
args:
- --cert-dir=/tmp
- --secure-port=4443
- --kubelet-insecure-tls=true
- --kubelet-preferred-address-types=InternalIP,Hostname,InternalDNS,externalDNS
ports:
- name: main-port
containerPort: 4443
protocol: TCP
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
imagePullPolicy: Always
volumeMounts:
- name: tmp-dir
mountPath: /tmp
nodeSelector:
beta.kubernetes.io/os: linux
---
apiVersion: v1
kind: Service
metadata:
name: metrics-server
namespace: kube-system
labels:
kubernetes.io/name: "Metrics-server"
kubernetes.io/cluster-service: "true"
spec:
selector:
k8s-app: metrics-server
ports:
- port: 443
protocol: TCP
targetPort: main-port
部署metrics-server
[root@k8s-master01 k8s]# kubectl apply -f metrics-server.yaml
查看结果
[root@k8s-master01 k8s]# kubectl get pods -n kube-system
kuboard部署
①获取kuboard.yaml文件
#下载地址https://kuboard.cn/install-script/kuboard.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kuboard
namespace: kube-system
annotations:
k8s.kuboard.cn/displayName: kuboard
k8s.kuboard.cn/ingress: "true"
k8s.kuboard.cn/service: NodePort
k8s.kuboard.cn/workload: kuboard
labels:
k8s.kuboard.cn/layer: monitor
k8s.kuboard.cn/name: kuboard
spec:
replicas: 1
selector:
matchLabels:
k8s.kuboard.cn/layer: monitor
k8s.kuboard.cn/name: kuboard
template:
metadata:
labels:
k8s.kuboard.cn/layer: monitor
k8s.kuboard.cn/name: kuboard
spec:
containers:
- name: kuboard
image: eipwork/kuboard:latest
imagePullPolicy: Always
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
apiVersion: v1
kind: Service
metadata:
name: kuboard
namespace: kube-system
spec:
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 32567
selector:
k8s.kuboard.cn/layer: monitor
k8s.kuboard.cn/name: kuboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kuboard-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kuboard-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kuboard-user
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kuboard-viewer
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kuboard-viewer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- kind: ServiceAccount
name: kuboard-viewer
namespace: kube-system
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kuboard
namespace: kube-system
annotations:
k8s.kuboard.cn/displayName: kuboard
k8s.kuboard.cn/workload: kuboard
nginx.org/websocket-services: "kuboard"
nginx.com/sticky-cookie-services: "serviceName=kuboard srv_id expires=1h path=/"
spec:
rules:
- host: kuboard.yourdomain.com
http:
paths:
- path: /
backend:
serviceName: kuboard
servicePort: http
②部署kuboard
[root@k8s-master01 ~]# kubectl apply -f kuboard.yaml
查看 Kuboard 运行状态:
[root@k8s-master01 ~]# kubectl get pods -l k8s.kuboard.cn/name=kuboard -n kube-system
NAME READY STATUS RESTARTS AGE
kuboard-5ffbc8466d-pqr7g 1/1 Running 0 2m49s
[root@k8s-master01 ~]#
③获取token
管理员用户
拥有的权限:
- 此Token拥有 ClusterAdmin 的权限,可以执行所有操作
执行命令查看token值
[root@k8s-master01 k8s]# echo $(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | grep kuboard-user | awk '{print $1}') -o go-template='{{.data.token}}' | base64 -d)
eyJhbGciOiJSUzI1NiIsImtpZCI6Ik9kTk1ybDlfRUZPRHcyMUg1QWxEY2dTUlQwQlRGUDdIVVZDUFVNeWIweWsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJvYXJkLXVzZXItdG9rZW4tcnhmZzgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoia3Vib2FyZC11c2VyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiNjdhMjUwYmYtMDkzNC00YjBmLThlYjQtOWZmYzA2YWViODkxIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmt1Ym9hcmQtdXNlciJ9.UvcRk7BqiCvgqxFB3iAftkKbd514EGehh9KOhlSYi1o-OIUglgvYSShK3NqsWXVF48bReTv0FtvUYGujewovhsY2rpIAnfGHbO2MQOhJCaKHox3FKj0a7tVwbmmjGQrCOVxuGdybmPjMiX9AZPUO2dTH1uA4wiWRAYISgloEv4pDeOP6_C3C3OCAto6Owq3xPCcKBqelrAMi4f8023mMrMT-HAmJE5outnHysPX37xq1MXA8iZmoxakBoL77FOMz7Q92EofoqOV76CR53sT1PaQj2miChih3bgjA8veZff0lkLPrLXj16ddUaW-esYb3IsjZ_iQEwRqzyWJSb7RsVQ
[root@k8s-master01 k8s]#
只读用户
拥有的权限:
- view 可查看名称空间的内容
- system:node 可查看节点信息
- system:persistent-volume-provisioner 可查看存储类和存储卷声明的信息
适用场景
只读用户不能对集群的配置执行修改操作,非常适用于将开发环境中的 Kuboard 只读权限分发给开发者,以便开发者可以便捷地诊断问题
执行命令:
执行如下命令可以获得 只读用户 的 Token,取输出信息中 token 字段
[root@k8s-master01 k8s]# echo $(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | grep kuboard-viewer | awk '{print $1}') -o go-template='{{.data.token}}' | base64 -d)
eyJhbGciOiJSUzI1NiIsImtpZCI6Ik9kTk1ybDlfRUZPRHcyMUg1QWxEY2dTUlQwQlRGUDdIVVZDUFVNeWIweWsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJvYXJkLXZpZXdlci10b2tlbi05eHhtciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJvYXJkLXZpZXdlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjFjMzU2ZDE1LTU5MjgtNDJlMC04ZGVjLWJkNmNhNTllMDU3MyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJvYXJkLXZpZXdlciJ9.AExLhMFCGOXecS4XQVENBedWVUf0TdA2qAat9qagvj9NEbuvPnsHIG6sahsNiSFPCVzLDdUCFWrwCw-iYGOkUglUgSDEMTrMtOBhq8U4aW3EuAQvY4aYNTV5h2F5Cq77JDwd0PMFVp_P0dOHFqwu05g59yCNrSf-RuqlmCYh81h-nVEEWPa96n_j59ResZgJsdl6dQEp2_n8pLVDphBA3F5LR7WhzIcwAlemSRBA2N60qPUv0KTsx_p_Y3dvgjpTFsS9RCLEAsdgugFHOaUMuSD9Ug2XpVraftE7TjaDFeCSoBIEjEhOGhpZi54HDcGMKtuO24rpOJm_lrEdA_fGtw
[root@k8s-master01 k8s]#
④访问kuboard
Kuboard Service 使用了 NodePort 的方式暴露服务, Kuboard.yaml 文件中NodePort 为 32567;您可以按如下方式访问 Kuboard。
http://任意一个Worker节点的IP地址:32567/
输入前一步骤中获得的 token,可进入 Kuboard 集群概览页
注意:
- 如果您使用的是阿里云、腾讯云等,请在其安全组设置里开放 worker 节点 32567 端口的入站访问,
- 您也可以修改 Kuboard.yaml 文件,使用自己定义的 NodePort 端口号
⑤直接访问集群概览页
如需要无登录访问集群概览页面,可使用如下格式的 url 进入:
http://任意一个Worker节点的IP地址:32567/dashboard?k8sToken=yourtoken
其他界面
其他任意 Kuboard 界面同理,只需要增加 k8sToken 作为查询参数,即可跳过输入 Token 的步骤
⑥直接访问终端界面
如果想要无登录直接访问容器组的控制台,可使用如下格式的 url 进入:
http://任意一个Worker节点的IP地址:32567/console/yournamespace/yourpod?containerName=yourcontainer&shell=bash&k8sToken=yourtoken
其中,shell 参数可选取值有:
bash
,使用 /bin/bash 作为 shell
I6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJvYXJkLXZpZXdlciJ9.AExLhMFCGOXecS4XQVENBedWVUf0TdA2qAat9qagvj9NEbuvPnsHIG6sahsNiSFPCVzLDdUCFWrwCw-iYGOkUglUgSDEMTrMtOBhq8U4aW3EuAQvY4aYNTV5h2F5Cq77JDwd0PMFVp_P0dOHFqwu05g59yCNrSf-RuqlmCYh81h-nVEEWPa96n_j59ResZgJsdl6dQEp2_n8pLVDphBA3F5LR7WhzIcwAlemSRBA2N60qPUv0KTsx_p_Y3dvgjpTFsS9RCLEAsdgugFHOaUMuSD9Ug2XpVraftE7TjaDFeCSoBIEjEhOGhpZi54HDcGMKtuO24rpOJm_lrEdA_fGtw
[root@k8s-master01 k8s]#
##### ④访问kuboard
Kuboard Service 使用了 NodePort 的方式暴露服务, Kuboard.yaml 文件中NodePort 为 32567;您可以按如下方式访问 Kuboard。
http://任意一个Worker节点的IP地址:32567/
输入前一步骤中获得的 token,可进入 **Kuboard 集群概览页**
<font color=red>注意:</font>
- 如果您使用的是阿里云、腾讯云等,请在其安全组设置里开放 worker 节点 32567 端口的入站访问,
- 您也可以修改 Kuboard.yaml 文件,使用自己定义的 NodePort 端口号
##### ⑤直接访问集群概览页
如需要无登录访问集群概览页面,可使用如下格式的 url 进入:
```text
http://任意一个Worker节点的IP地址:32567/dashboard?k8sToken=yourtoken
其他界面
其他任意 Kuboard 界面同理,只需要增加 k8sToken 作为查询参数,即可跳过输入 Token 的步骤
⑥直接访问终端界面
如果想要无登录直接访问容器组的控制台,可使用如下格式的 url 进入:
http://任意一个Worker节点的IP地址:32567/console/yournamespace/yourpod?containerName=yourcontainer&shell=bash&k8sToken=yourtoken
其中,shell 参数可选取值有:
bash
,使用 /bin/bash 作为 shellsh
, 使用 /bin/sh 作为 shell
如果对您有帮助请点赞,谢谢!
更多推荐
所有评论(0)