Kubernetes基于Centos7搭建
k8s 基本使用CentOS7安装k8sCentos7 k8s安装部署centos7安装kubernetes k8s v1.16.0 国内环境本demo是基于 Centos7 安装!概述系统环境系统内核dockerip主机名配置CentOS 7.3.16113.10.0-514.26.2.el7.x86_6419.03.12192.168.133.120k8s-centos7-master2核2G
centos7安装kubernetes k8s v1.16.0 国内环境
本demo是基于 Centos7 安装!
概述
系统环境
系统 | 内核 | docker | ip | 主机名 | 配置 |
---|---|---|---|---|---|
CentOS 7.3.1611 | 3.10.0-514.26.2.el7.x86_64 | 19.03.12 | 192.168.133.120 | k8s-centos7-master | 2核2G |
CentOS 7.3.1611 | 3.10.0-514.26.2.el7.x86_64 | 19.03.12 | 192.168.133.121 | k8s-centos7-node1 | 2核2G |
请确保 CPU 至少2核,内存2G
准备工作
1.关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
2.禁用 SELINUX
# 临时禁用
setenforce 0
# 永久禁用
vim /etc/selinux/config # 或者修改/etc/sysconfig/selinux
SELINUX=disabled
3.修改k8s.conf文件
cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
4.关闭swap
# 临时关闭
swapoff -a
5.安装docker
这里就不再叙述了,请参考链接:
https://www.cnblogs.com/xiao987334176/p/11771657.html
6.修改主机名
hostnamectl set-hostname k8s-master
安装方法
yum安装:最简单,默认 1.5.2 版
编译安装:最难(大佬级别),golang环境
二进制安装: 最繁琐
kubeadm: 官方安装(网络) kubelet 二进制,其他 k8s 组件全是容器。
minikube: 单机版,只适合体验
安装 kubeadm,kubelet,kubectl
在每个节点安装 kubeadm,kubelet,kubectl
修改 yum 安装源
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
安装的版本是 1.16.0
yum install -y kubectl-1.16.0-0 kubeadm-1.16.0-0 kubelet-1.16.0-0
初始化 k8s
以下这个命令开始安装 k8s 需要用到的 docker 镜像,因为无法访问到国外网站,所以这条命令使用的是国内的阿里云源。另一个非常重要的是:这里的 --apiserver-advertise-address 使用的是 master 和 node 间能互相 ping 通的 ip,配置成自己机器的 ip。这条命令执行时会卡在[preflight] You can also perform this action in beforehand using ''kubeadm config images pull
,大概需要2分钟,请耐心等待。
# 下载管理节点中用到的6个docker镜像,你可以使用docker images查看到
# 这里需要大概两分钟等待,会卡在[preflight] You can also perform this action in beforehand using ''kubeadm config images pull
kubeadm init --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.16.0 --apiserver-advertise-address 机器ip --pod-network-cidr=10.244.0.0/16 --token-ttl 0
上面安装完成后,会提示你执行如下命令
# 上面安装完成后,k8s会提示你输入如下命令,执行
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
使用 kubeadm 部署成功之后会出现以下命令,工作节点可以通过该命令加入集群
kubeadm join 192.168.133.120:6443 --token sgqu2a.9ge9zjfat41rtllf \
--discovery-token-ca-cert-hash sha256:e2bd723807dcd8092c5fffc1e4e27b303fde044a01a0547a9dce8d8718f58b4d
安装 calico
calico 为容器和虚拟机工作负载提供一个安全的网络连接
calico 可以创建并管理一个 3 层平面网络,为每个工作负载分配一个完全可路由的 IP 地址。工作负载可以在没有IP封装或网络地址转换的情况下进行通信,以实现裸机性能,简化故障排除和提供更好的互操作性。 在需要使用overlay网络的环境中,Calico提供了IP-in-IP隧道技术,或者也可以与flannel等其他overlay网络配合使用。
Calico还提供网络安全规则的动态配置。 使用Calico的简单策略语言,就可以实现对容器、虚拟机工作负载和裸机主机各节点之间通信的细粒度控制。
获取安装文件
wget https://docs.projectcalico.org/v3.10/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml
将 192.168.0.0/16 修改 ip 地址为 10.244.0.0/16
sed -i 's/192.168.0.0/10.244.0.0/g' calico.yaml
加载 Calico
kubectl apply -f calico.yaml
等待几分钟,确保所有的 pod 都处于 Running 状态
[root@localhost dashboard]# kubectl get pod --all-namespaces -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
kube-system calico-kube-controllers-7994b948dd-7dgd8 1/1 Running 0 18h 10.244.231.194 k8s-centos7-master <none> <none>
kube-system calico-node-7zhz9 1/1 Running 0 18h 10.0.2.15 k8s-centos7-node1 <none> <none>
kube-system calico-node-dv8vz 1/1 Running 0 18h 10.0.2.15 k8s-centos7-master <none> <none>
kube-system coredns-58cc8c89f4-npwwb 1/1 Running 0 18h 10.244.231.195 k8s-centos7-master <none> <none>
kube-system coredns-58cc8c89f4-sdcfr 1/1 Running 0 18h 10.244.231.193 k8s-centos7-master <none> <none>
kube-system etcd-k8s-centos7-master 1/1 Running 0 18h 10.0.2.15 k8s-centos7-master <none> <none>
kube-system kube-apiserver-k8s-centos7-master 1/1 Running 0 18h 10.0.2.15 k8s-centos7-master <none> <none>
kube-system kube-controller-manager-k8s-centos7-master 1/1 Running 0 18h 10.0.2.15 k8s-centos7-master <none> <none>
kube-system kube-proxy-chsc7 1/1 Running 0 18h 10.0.2.15 k8s-centos7-master <none> <none>
kube-system kube-proxy-kf6xb 1/1 Running 0 18h 10.0.2.15 k8s-centos7-node1 <none> <none>
kube-system kube-scheduler-k8s-centos7-master 1/1 Running 0 18h 10.0.2.15 k8s-centos7-master <none> <none>
结果
[root@localhost dashboard]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-centos7-master Ready master 18h v1.16.0
k8s-centos7-node1 Ready <none> 18h v1.16.0
安装 dashboard(更新: 2020-08-26)
我这个 dashboard.yaml
是从 github 上的 kubernetes/dashboard
获取的
dashboard.yaml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
# 修改类型为 NodePort 访问
type: NodePort
ports:
- port: 443
targetPort: 8443
# 设置端口号为 30001
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
---
kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
# 可以先到 dockerhub 上查看镜像的版本
image: kubernetesui/dashboard:v2.0.3
imagePullPolicy: Always
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
---
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec:
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.4
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
这里有几个需要注意的点:
- 像
image: kubernetesui/dashboard:v2.0.3
这个镜像可以先到 dockerhub 上查找最新的 tag。要不然可能 docker 在 pull 的时候需要指定对应的版本
然后我们在外网访问 http://\<master-ip>:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
,可以成功访问到登录界面,但是却无法登录,这是因为Dashboard只允许localhost和127.0.0.1使用HTTP连接进行访问,而其它地址只允许使用HTTPS。因此,如果需要在非本机访问Dashboard的话,只能选择其他访问方式。
最终我们选择 API Server 访问方式
由于最新版的 k8s 默认启用了 RBAC, 并为未认证的用户赋予一个默认的身份: anoymous
对于 API Server 来说,它是使用证书进行认证,我们需要创建一个证书:
- 首先找到
kubectl
命令的配置文件,默认情况下为/etc/kubernetes/admin.conf
,之前已经复制到了$HOME/.kube/config
中 - 然后使用
client-certificate-data
和client-key-data
生成一个 p12 文件, 可使用下列命令
# 生成client-certificate-data
grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
# 生成client-key-data
grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
# 生成p12
openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
最终会在当前目录下生成一个 xxx.p12
文件,将其导入到 chrome
浏览器。
手动导入的方式如下:
点击 菜单-设置-高级-管理证书
成功会显示 “导入成功”,接着 重启chrome。
访问 https://机器ip:30001/
正常是会弹出证书信息,点击确定即可。
创建一个登录账号,创建一个名为 dashboard-adminuser.yaml
的配置文件
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
kubectl create -f dashboard-adminuser.yaml
打印token信息
[root@k8s-centos7-master dashboard]# kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
# 留一下这个 Name 是不是 admin-user
Name: admin-user-token-cw64b
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: d8ac152d-3f51-494c-ae73-3bcc71d0b61d
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkpZWkRhZEpNVHhJWXlJOTVIcGRpSWRMZW14aG1BUzJtWlBRdnZ0Qy02SG8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLWN3NjRiIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJkOGFjMTUyZC0zZjUxLTQ5NGMtYWU3My0zYmNjNzFkMGI2MWQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.knGeN8E4lLmZGoWIGTYjUkfO-uggSuo2k_-7tZag1Vg1AvCmXy5Ot7BEozQ_jJYX8oYjbxWCy6mZyG3NgdfBTYvFsMaS9g-RHZPOXAQPct5DDVDvHS-F6IzE_OZP8W5XKDcNl5-RRoLTjphevTgi7AUZ6r3Bx_vvbOFC9-rz4aqBP7LJwUcSP-w8bQYtCQD8qjuKeh_a8WbqcXUIuk7PuTPttQcqXVy_Yvd15VG390sdjbwIS2ULwNrGFY5BrVNuUBKzxV1DhOLZnK6Qz9iB2AgUA0jjPACF943_fqgr-0OcCXyl_zSEYR0yYes6K8QX082vu88X6Rz9myuOL2IZrg
将上面的token输入到浏览器,成功登录后效果如下:
>> 安装 dashboard.yaml 报错: Error from server (AlreadyExists): error when creating “kubernetes-dashboard.yaml”: secrets “kubernetes-dashboard-certs” already exists
执行以下命令解决问题:
kubectl delete -f kubernetes-dashboard.yaml
更多推荐
所有评论(0)