docker run -d  --privileged=true  --restart=unless-stopped -p 80:80 -p 8443:443 -v /opt/service/rancher:/var/lib/rancher harbor.jettech.com/rancher/rancher:v2.3.6

清理

[root@localhost ~]# cat clean.sh 
#!/bin/bash

# 卸载rancher2.x

KUBE_SVC='
kubelet
kube-scheduler
kube-proxy
kube-controller-manager
kube-apiserver
'
for kube_svc in ${KUBE_SVC};
do
  # 停止服务
  if [[ `systemctl is-active ${kube_svc}` == 'active' ]]; then
    systemctl stop ${kube_svc}
  fi
  # 禁止服务开机启动
  if [[ `systemctl is-enabled ${kube_svc}` == 'enabled' ]]; then
    systemctl disable ${kube_svc}
  fi
done
# 停止所有容器
docker stop $(docker ps -aq)
# 删除所有容器
docker rm -f $(docker ps -qa)
# 删除所有容器卷
docker volume rm $(docker volume ls -q)
# 卸载mount目录
for mount in $(mount | grep tmpfs | grep '/var/lib/kubelet' | awk '{ print $3 }') /var/lib/kubelet /var/lib/rancher;
do
  umount $mount;
done
# 备份目录
mv /etc/kubernetes /etc/kubernetes-bak-$(date +"%Y%m%d%H%M")
mv /var/lib/etcd /var/lib/etcd-bak-$(date +"%Y%m%d%H%M")
mv /var/lib/rancher /var/lib/rancher-bak-$(date +"%Y%m%d%H%M")
mv /opt/rke /opt/rke-bak-$(date +"%Y%m%d%H%M")
# 删除残留路径
rm -rf /etc/ceph \
    /etc/cni \
    /opt/cni \
    /run/secrets/kubernetes.io \
    /run/calico \
    /run/flannel \
    /var/lib/calico \
    /var/lib/cni \
    /var/lib/kubelet \
    /var/log/containers \
    /var/log/kube-audit \
    /var/log/pods \
    /var/run/calico
# 清理网络接口
no_del_net_inter='
lo
docker0
eth
ens
bond
'
network_interface=`ls /sys/class/net`
for net_inter in $network_interface;
do
  if ! echo "${no_del_net_inter}" | grep -qE ${net_inter:0:3}; then
    ip link delete $net_inter
  fi
done
# 清理残留进程
port_list='
80
443
6443
2376
2379
2380
8472
9099
10250
10254
'
for port in $port_list;
do
  pid=`netstat -atlnup | grep $port | awk '{print $7}' | awk -F '/' '{print $1}' | grep -v - | sort -rnk2 | uniq`
  if [[ -n $pid ]]; then
    kill -9 $pid
  fi
done
kube_pid=`ps -ef | grep -v grep | grep kube | awk '{print $2}'`
if [[ -n $kube_pid ]]; then
  kill -9 $kube_pid
fi
# 清理Iptables表
## 注意:如果节点Iptables有特殊配置,以下命令请谨慎操作
sudo iptables --flush
sudo iptables --flush --table nat
sudo iptables --flush --table filter
sudo iptables --table nat --delete-chain
sudo iptables --table filter --delete-chain
systemctl restart docker

前提 
1.首先保障rancher管理k8s集群的config文件还在,可以查看~/.kube/config 进行验证

[root@localhost ~]# kubectl config get-contexts
CURRENT   NAME                   CLUSTER                AUTHINFO   NAMESPACE
*         jettech                jettech                jettech    
          jettech-172.16.10.87   jettech-172.16.10.87   jettech    
[root@localhost ~]# kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://172.16.10.87:8443/k8s/clusters/c-t5kwm   
  name: jettech   #此集群是rancher创建用的
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://172.16.10.87:6443
  name: jettech-172.16.10.87  #此集群k8s用的kubectl 可以操作的 不通过rancher也可以用
contexts:
- context:
    cluster: jettech
    user: jettech
  name: jettech
- context:
    cluster: jettech-172.16.10.87
    user: jettech
  name: jettech-172.16.10.87
current-context: jettech
kind: Config
preferences: {}
users:
- name: jettech
  user:
    token: kubeconfig-user-9hzqx.c-t5kwm:4kvkcffhpgsrn4bg4mqv8gppf7h9h7x89zn77kkmfdrrznnjr8tmb9

CURRENT   NAME                   CLUSTER                AUTHINFO   NAMESPACE
*         jettech                jettech                jettech    
          jettech-172.16.10.87   jettech-172.16.10.87   jettech 

jettech集群是最开始创建的,jettech-172.16.10.87集群是rancher创建集群的时候我们选择的是否在racher不可用的情况下,可以用最初的方式操作集群。

2.切换到不同配置项

[root@localhost ~]# kubectl config use-context jettech-172.16.10.87
Switched to context "jettech-172.16.10.87".

3.使用kubectl命令来操作集群

[root@localhost ~]# kubectl get nodes
NAME           STATUS     ROLES                      AGE   VERSION
172.16.10.15   NotReady   worker                     49d   v1.17.4
172.16.10.87   NotReady   controlplane,etcd,worker   49d   v1.17.4

若rancher彻底不可恢复

待kubectl命令可以使用后,在新搭建rancher平台中,把此集群导入进去,导入完成后 要重建项目,把之前的命名空间移过去即可。具体导入命令,参考rancher官网

当集群都不可用的时候,可以自己做个集群,创建用户,关联集群用户,用户授权等 这种方法不可以,因为kubectl都不可以用了,没有可用的kubeconfig信息

在开启了 TLS 的集群中,每当与集群交互的时候少不了的是身份认证,使用 kubeconfig(即证书) 和 token 两种认证方式是最简单也最通用的认证方式。

以kubectl为例介绍kubeconfig的配置。kubectl只是个go编写的可执行程序,只要为kubectl配置合适的kubeconfig,就可以在集群中的任意节点使用。kubectl默认会从$HOME/.kube目录下查找文件名为 config 的文件,也可以通过设置环境变量 KUBECONFIG 或者通过设置 --kubeconfig 去指定其它 kubeconfig 文件。

总之kubeconfig就是为访问集群所作的配置。

1.通过rancher创建的集群证书位于

[root@localhost ~]# ls /etc/kubernetes/ssl/
certs                                    kube-ca-key.pem                               kubecfg-kube-scheduler.yaml      kube-proxy-key.pem
kube-apiserver-key.pem                   kube-ca.pem                                   kube-controller-manager-key.pem  kube-proxy.pem
kube-apiserver.pem                       kubecfg-kube-apiserver-proxy-client.yaml      kube-controller-manager.pem      kube-scheduler-key.pem
kube-apiserver-proxy-client-key.pem      kubecfg-kube-apiserver-requestheader-ca.yaml  kube-etcd-172-16-10-87-key.pem   kube-scheduler.pem
kube-apiserver-proxy-client.pem          kubecfg-kube-controller-manager.yaml          kube-etcd-172-16-10-87.pem       kube-service-account-token-key.pem
kube-apiserver-requestheader-ca-key.pem  kubecfg-kube-node.yaml                        kube-node-key.pem                kube-service-account-token.pem
kube-apiserver-requestheader-ca.pem      kubecfg-kube-proxy.yaml                       kube-node.pem

这里需要集群根证书

[root@localhost ~]# ls /etc/kubernetes/ssl/{kube-ca-key.pem,kube-ca.pem}
/etc/kubernetes/ssl/kube-ca-key.pem  /etc/kubernetes/ssl/kube-ca.pem


ca的key:/etc/kubernetes/ssl/kube-ca-key.pem 
ca的pem或crt:/etc/kubernetes/ssl/kube-ca.pem

新建用户

新建一个k8s用户大概可以分为以下几步:

  • 生成用户的证书key
  • 通过用户的证书key,生成用户的证书请求
  • 通过k8s的api的ca证书去签发用户的证书请求,生成用户的证书
  • 配置kubectl config
    • kubectl config set-cluster                           //集群配置
    • kubectl config set-credentials NAME         //用户配置
    • kubectl config set-context                  //context配置
    • kubectl config use-context                 //切换context

具体操作:

(1) 用户证书,此处我用的是自己的用户名:wubo

[root@localhost aaa]#  (umask 077; openssl genrsa -out wubo.key 2048) #创建用户证书key


[root@localhost aaa]# openssl req -new -key wubo.key -out wubo.csr -subj "/O=wubo/CN=wubo" #创建用户证书请求,-subj指定组和用户,其中O是组名,CN是用户名


[root@localhost aaa]# openssl x509 -req -in wubo.csr -CA  /etc/kubernetes/ssl/kube-ca.pem -CAkey /etc/kubernetes/ssl/kube-ca-key.pem -CAcreateserial -out wubo.crt -days 365 #使用k8s的ca签发用户证书

[root@localhost aaa]# ls
wubo.crt  wubo.csr  wubo.key

(2) 配置kubectl config

[root@localhost ~]# export KUBE_APISERVER="https://172.16.10.87:6443"

# 设置集群参数
此处可以不执行,不执行就使用本身的集群,也默认使用本集群的默认config文件
[root@localhost aaa]# kubectl config set-cluster wubo-cluster --certificate-authority=/etc/kubernetes/ssl/kube-ca.pem  --embed-certs=true --server=${KUBE_APISERVER} --kubeconfig=config
Cluster "wubo-cluster" set.

# 设置客户端认证参数用户是wubo 和openssl创建的证书的CN一致
[root@localhost aaa]# kubectl config set-credentials wubo --certificate-authority=/etc/kubernetes/ssl/kube-ca.pem  --client-certificate=wubo.crt --client-key=wubo.key --embed-certs=true --kubeconfig=config
User "wubo" set.

# 设置上下文参数  就是把集群【wubo-cluster】和用户【wubo】关联起来
[root@localhost aaa]# # kubectl config set-context wubo@wubo-cluster --cluster=wubo-cluster --user=wubo

# 可以切换到新用户了,但此时用户啥权限都没有,设置默认上下文
[root@localhost aaa]# kubectl config use-context wubo@wubo-cluster
Switched to context "wubo@wubo-cluster".cluster 


查看
[root@localhost aaa]# kubectl config   get-contexts
CURRENT   NAME                   CLUSTER                AUTHINFO   NAMESPACE
          jettech                jettech                jettech    
          jettech-172.16.10.87   jettech-172.16.10.87   jettech    
*         wubo@wubo-cluster      wubo-cluster           wubo
  • 没有使用kubectl config set-cluster ,因为集群就使用本身的集群,也默认使用本集群的默认config文件
  • kubectl config set-cluster --kubeconfig=/PATH/TO/SOMEFILE    ---kubeconfig=/PATH/TO/SOMEFILE用于创建新的配置文件,如果不加此选项,则内容会添加到家目录下.kube/config文件中,可以使用use-context来切换不同的用户管理k8s集群
  • context,就是用什么用户来管理哪个集群,即用户和集群的结合

参数说明:

  1. wubo-cluster                                                                         ##集群名字

  2. --certificate-authority=/etc/kubernetes/ssl/kube-ca.pem       ##集群证书颁发ca

  3. --embed-certs=true --server=${KUBE_APISERVER}           ##集群服务ip

  4. --kubeconfig=config                                                                ##把命令生成的信息内容写入kubeconfig,并且同时写入kubectl.kubeconfig文件
  5. 设置客户端认证参数时 --certificate-authority=/etc/kubernetes/ssl/kube-ca.pem   ##添加管理员权限,没有这一段则为普通用户

  6. --client-certificate:用户的ca,此处是wubo.crt

  7. --client-key:是用的key,此处是wubo.key

生成的 kubeconfig 被保存到 ~/.kube/config 文件;配置文件描述了集群、用户和上下文

集群参数

本段设置了所需要访问的集群的信息。使用set-cluster设置了需要访问的集群,如上为kubernetes,这只是个名称,实际为--server指向的apiserver;--certificate-authority设置了该集群的公钥;--embed-certs为true表示将--certificate-authority证书写入到kubeconfig中;--server则表示该集群的kube-apiserver地址

生成的kubeconfig 被保存到 ~/.kube/config 文件

用户参数

本段主要设置用户的相关信息,主要是用户证书。如上的用户名为wubo,证书为:/etc/kubernetes/ssl/wubo.pem,私钥为:/etc/kubernetes/ssl/wubo-key.pem。注意客户端的证书首先要经过集群CA的签署,否则不会被集群认可。此处使用的是ca认证方式,也可以使用token认证,如kubelet的 TLS Boostrap机制下的bootstrapping使用的就是token认证方式。上述kubectl使用的是ca认证,不需要token字段

上下文参数

集群参数用户参数可以同时设置多对,在上下文参数中将集群参数用户参数关联起来。上面的上下文名称为kubenetes,集群为kubenetes,用户为admin,表示使用admin的用户凭证来访问kubenetes集群的default命名空间,也可以增加--namspace来指定访问的命名空间。

最后使用kubectl config use-context wubo-cluster来使用名为wubo-cluster的环境项来作为配置。如果配置了多个环境项,可以通过切换不同的环境项名字来访问到不同的集群环境

备注

使用kubeconfig还需要注意用户已经经过授权(如RBAC授权),上述例子中用户的证书中O字段为wubo,CN也为wubokube-apiserver 预定义的 RoleBinding cluster-admin 将 Group wubo与 Role cluster-admin 绑定,该 Role 授予了调用kube-apiserver 相关 API 的权限。

k8s的用户授权有很多种,其中最普遍的是RBAC——基于角色的授权机制。

  • 某个用户属于某个角色
  • 某个角色拥有某些操作
  • 某些操作绑定到某些资源上

即最终效果是:某个用户对某些资源拥有某些操作。下面以上面创建的baison用户为例,让此用户对default空间拥有查看pod与进入到pod里的权限

创建集群角色 wubo-clusterrole 针对所有namespace 对所有资源有所有权限
[root@localhost aaa]# kubectl create  clusterrole wubo-clusterrole --verb="*" --resource="*"
clusterrole.rbac.authorization.k8s.io/wubo-clusterrole created



给wubo用户赋予 cluster-admin 集群角色
[root@localhost aaa]# kubectl create clusterrolebinding wubo-admin-cluseter --clusterrole=wubo-clusterrole --user=wubo
clusterrolebinding.rbac.authorization.k8s.io/wubo-admin-cluseter created

系统提供了一个集群admin的角色可以直接使用 
kubectl create clusterrolebinding wubo-admin-cluseter --clusterrole=cluster-admin --user=wubo            



[root@localhost aaa]# kubectl get clusterrole | grep wubo
wubo-clusterrole                                                       2m14s
[root@localhost aaa]# kubectl get clusterrolebinding | grep wubo
curl-wubo-admin-binding                                35d
sa-wubo-cluster-admin                                  34d
wubo-admin-cluseter                                    61s                                                                                                                                                                                             

简单说明:

  • 除了role、rolebinding外,还有cluserrole、clusterrolebinding,他们的区别就是作用域不同,很明显带cluser的作用与整个集群。
  • rolebinding可以绑定role,也可以绑定clusterrole,绑定cluserrole的时候,clusterrole作用域降级为namespace级别。
  • 集群有很多内置role、rolebinding和cluserrole、clusterrolebinding,可以用yaml方式打开作为借鉴。

k8s-RBAC授权_码农崛起-CSDN博客

晴空:

kubectl config delete-context wubo-cluster

万能方法

单节点rancher宕机后,无法登录UI界面操作K8S集群,这时可以临时生成集群权限文件,使用该文件即可操作集群。

默认情况下,我们使用rancher,连kubernetes的master主机都不用配置任何参数,那一旦rancher挂机了,master节点又无法使用命令操作集群,该怎么办?

解决方案
我在这里给大家分享一个上面问题的解决方法:

正如你所知,Rancher Server 通过 UI 创建的"自定义"集群,后端是通过 RKE 实现的,所以 RKE(https://docs.rancher.cn/rke/)有能力去纳管Rancher Server 创建的“自定义”集群,也可以不用rke就用kubectl工具即可

(1)下面是rke色思路

通过RKE 创建和管理 Kubernetes 集群,依赖 3 个文件:

cluster.yml:RKE 集群配置文件

kube_config_cluster.yml:该文件包含了获取该集群所有权限的认证凭据

cluster.rkestate:Kubernetes 集群状态文件,包含了获取该集群所有权限的认证凭据

所以,只要能从下游业务集群中获得这 3 个文件,就可以结合 RKE 二进制文件继续管理下游业务集群。下面将详细介绍如何通过 RKE 纳管 Rancher Server 创建的“自定义”集群,并通过RKE扩展集群的节点。

本文只针对 Rancher v2.4.x 和 v2.5.x 版本做了测试,其他版本可能不适用。

为了更好的演示效果,本文将从 Rancher Server 创建“自定义”集群开始,然后通过 RKE 纳管"自定义"集群,最后为了确认 RKE 有能力纳管集群,将演示通过 RKE 添加一个节点

模拟:rancher server服务宕机

如果单单rancher server服务宕机,集群中的服务依然可以正常提供服务

master主机操作

或装有controlplane角色的节点可操作

1、创建一个目录,作为恢复集群的工作目录

mkdir /opt/tembak
cd /opt/tembak

2、恢复下游业务集群的kube_config_cluster.yml文件,在controlplane节点上运行以下命令:

需要这个文件 在 /etc/kubernetes/ssl
[root@localhost ~]# cat /etc/kubernetes/ssl/kubecfg-kube-node.yaml 
apiVersion: v1
kind: Config
clusters:
- cluster:
    api-version: v1
    certificate-authority: /etc/kubernetes/ssl/kube-ca.pem
    server: "https://127.0.0.1:6443"
  name: "local"
contexts:
- context:
    cluster: "local"
    user: "kube-node-local"
  name: "local"
current-context: "local"
users:
- name: "kube-node-local"
  user:
    client-certificate: /etc/kubernetes/ssl/kube-node.pem
    client-key: /etc/kubernetes/ssl/kube-node-key.pem




[root@localhost aaa]# docker run --rm --net=host -v /etc/kubernetes/ssl:/etc/kubernetes/ssl:ro  --entrypoint bash harbor.jettech.com/rancher/rancher-agent:v2.3.6 -c 'kubectl --kubeconfig /etc/kubernetes/ssl/kubecfg-kube-node.yaml get configmap   -n kube-system full-cluster-state   -o json | jq -r .data.\"full-cluster-state\" | jq   -r .currentState.certificatesBundle.\"kube-admin\".config | sed   -e "/^[[:space:]]*server:/ s_:.*_: \"https://127.0.0.1:6443\"_"'>kube_config_cluster.yml



[root@localhost aaa]# docker run --rm --net=host -v /etc/kubernetes/ssl:/etc/kubernetes/ssl:ro  --entrypoint bash harbor.jettech.com/rancher/rancher-agent:v2.3.6 -c 'kubectl --kubeconfig /etc/kubernetes/ssl/kubecfg-kube-node.yaml get configmap   -n kube-system full-cluster-state   -o json | jq -r .data.\"full-cluster-state\" | jq   -r .currentState.certificatesBundle.\"kube-admin\".config | sed   -e "/^[[:space:]]*server:/ s_:.*_: \"https://127.0.0.1:6443\"_"'
apiVersion: v1
kind: Config
clusters:
- cluster:
    api-version: v1
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN3akNDQWFxZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFTTVJBd0RnWURWUVFERXdkcmRXSmwKTFdOaE1CNFhEVEl4TVRJd01UQTFNell4TTFvWERUTXhNVEV5T1RBMU16WXhNMW93RWpFUU1BNEdBMVVFQXhNSAphM1ZpWlMxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU5mV3NDNFJJV1NNCjlvS2dPYmF0RmZpMWN5bDcva25BSEpiRm5JTlNhS1hsVjY1dWV3VjlVK3Z2dWVKSU8vamt4cFg5MUk0U1N0RFgKdUdYMGZpbExQWGZYaEJYNHBwblVPaE4wekFsNCt6Ym5Ud1VsYW50TmhFdG0vanJXUjhLQkdWRy9NWjZBTERtbwpYVDVPOCs2eXVINDFxVkFLYnEycGY1SVVZNUpTTENZNzhCNzhPVFRGNXlrN2YvWERCcENLdHBXemtScG5Wd0pCCnlkOEJoRVFrbk04SFJBYzlJc0YzSnNKOHlodXZldWxFN1YvWUJyWGVzcmV3M1IvejhDakZJV0NjMnplWXpKOE8KQ2hmWGlVbmpIZmg0azlsWDNpcytVTWFrTml1ekFGS0VETzlEMDFzUllObGgzMm1EY0V4bEdwMm1BQWZFRWlnNwozUmd1OEkzb2xOa0NBd0VBQWFNak1DRXdEZ1lEVlIwUEFRSC9CQVFEQWdLa01BOEdBMVVkRXdFQi93UUZNQU1CCkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSkY3UjUydHBnZzBlZnV3NGI5VXBzZElNaEhEZkloc0tnc0wKSTBrV2tvTmh4dXZGT3QwblA1Z0pmemk4SzdNMHB4M2dsSEo2MmxTZ2YwbGpGTWxaV3pMSzdFblVuNUw1dUxsSwphQ3V0dFRadzA0NndkM09uWUdtd0tMazRINXI1WWcxUUdia3UyUG5FeVgvbTM3dVNPZUNhd2R4K2JFdnpjN09WCndIY3lKS2RldkhzS2xrd213SXFhOUpvcG44MUR4TkJ6YS9oa1JUdVR2WjBrZjNmVUxGN2ttcHYxZEVyS1JzMHgKMVViZW1FQTJBZUh5QWdFb0o3YzdxbkdSbXZNUTVUOGZXVjdvVXNsTEY2Mm4ydEQxUTRsYTg5QlZBRGtOMnpVNgpNeWdyMHVtM1dSaU5EZmRnZUNxVUR2cVBDTFBHdHlia2o4M0hwdDdMb2NpSzE0eW9OTUU9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    server: "https://127.0.0.1:6443"
  name: "local"
contexts:
- context:
    cluster: "local"
    user: "kube-admin-local"
  name: "local"
current-context: "local"
users:
- name: "kube-admin-local"
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQWRHZ0F3SUJBZ0lJRHF3VkY2dVRkUEl3RFFZSktvWklodmNOQVFFTEJRQXdFakVRTUE0R0ExVUUKQXhNSGEzVmlaUzFqWVRBZUZ3MHlNVEV5TURFd05UTTJNVE5hRncwek1URXhNamt3TmpVeU16WmFNQzR4RnpBVgpCZ05WQkFvVERuTjVjM1JsYlRwdFlYTjBaWEp6TVJNd0VRWURWUVFERXdwcmRXSmxMV0ZrYldsdU1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXgrSm9OTFdtVnltMExEZ1pUcjBLRXcvSmJ5NkMKcDUvUWN5dXovQ0xTS2t2Z0p5ckZPanZIZkJqVmR4MlZxQWNncDFkWHVldzFrTFBlSVp2SUNwcUNlUVovUldHYwpWcmZjWjZNQ3FaU2ZRVFJFZUtjRDV1Q0FPWDVoUVI2cndNWGZJMnBiZ1FISjJaSlVIWXBpbnBsQVh4bG5qQ0NxCnhjaVNVMUlIby9IcnYvQTA5N2RRU1dXS3hRN2VRbmlVS3U3YUZPRVdvdFV2b2dvTWpYQkRHb2wyNVo1dCswei8KNEI4TmlJNWxFb3lYakI5REx5VlJsdjJyNFRKMFNZZUVxT002aHREMkloZmEyclRiSitLei9JRTRrSjZUUGtCZApaSlZ6KzBJckpuc3J3UHQ2dHZuMXo4dlhnQk9SaXdsR0YvK0djMTl4QUowdTMwZThVU00rNXdGMDVRSURBUUFCCm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd0l3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dFQkFCZk9tZWRiVFhFVUwwTzFHdWZnMVNqVFhab3RVSGdpSHBkazFaZnFFVkFtcUMxeApaNzZNdkV2Qy9SRk1xZnRFZUdYS0NnLzl5U2tOSkNibnpualBWcHdmNUJrVDlCWkRLckEyTnMvd0FObHlKRFVqCnFobjk1VkpON1lWbGRFbHpUZTA2blo1dWk1ZkczTHkrQkxXL0pWci9nZVV2eWxTL0J2WEwrZ1VXSkxoZmpWOWsKeEtFbWdjT01QNFlKcUF3UGl6amlCdEJPZ09CdGpaeXhOZ2t0VmhpTExCcWIydXNVOUl5NTJ0SVlGVGRVYUlCYgpraFlDZjMzSlRoNk42bjFnMy91WllnVURsRVU0SjJ3QjJxVFlRa1RrK2I4M3gwUDVQK2N0QitRcnA4dld5UUhGClgvdTFkeGpXZld6L1dKSHcwZUhPLzB4dWlCS1RWMW1zTWZqZkFZOD0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBeCtKb05MV21WeW0wTERnWlRyMEtFdy9KYnk2Q3A1L1FjeXV6L0NMU0trdmdKeXJGCk9qdkhmQmpWZHgyVnFBY2dwMWRYdWV3MWtMUGVJWnZJQ3BxQ2VRWi9SV0djVnJmY1o2TUNxWlNmUVRSRWVLY0QKNXVDQU9YNWhRUjZyd01YZkkycGJnUUhKMlpKVUhZcGlucGxBWHhsbmpDQ3F4Y2lTVTFJSG8vSHJ2L0EwOTdkUQpTV1dLeFE3ZVFuaVVLdTdhRk9FV290VXZvZ29NalhCREdvbDI1WjV0KzB6LzRCOE5pSTVsRW95WGpCOURMeVZSCmx2MnI0VEowU1llRXFPTTZodEQySWhmYTJyVGJKK0t6L0lFNGtKNlRQa0JkWkpWeiswSXJKbnNyd1B0NnR2bjEKejh2WGdCT1Jpd2xHRi8rR2MxOXhBSjB1MzBlOFVTTSs1d0YwNVFJREFRQUJBb0lCQUV4aXpIbmdOVW80Q0wraApUS0tYZ1lNWlZGeGx4TTUwTjMvYjRyTm5Sek9jdlhPYVY3YlNZNENjS08rVlliek54SC9PMUJxY0Z6aE9WSVE1CmVTLzhMZ0k4Sm1VSVVXdWVaZDlCSDJKWkJxY3ZaejlJYkNoT0FSSjNwb2p4UktldHRvRmRRc3pCTnpjclFYUHMKajVXV2NWQW1jRGpQdnhOSWZBclZYVkFjd29BZGlibUUwVzVzMmFqTkE5MllMbE4vZFRFZTd3dW0rQWRCZWNTTwpERHcwcEx0a1U1UlZBTk9uaVNpdXpQNU1IQWp6RGxidWZkMmJoTFFCeEJiWVJnMVdoMkVtV1kvcnNyQ25BRTFoCkVLUm0wb0JJTjREbUxhcXNQM2RBTnN1Q0lxN0ZpNklGNkdUbEN5cUJnbnU3S2xHL3JXbEFSZ0lOVWRKczdlUWMKZ0VzckliMENnWUVBN1RhNkFxNWFhbXpLem5hRm8zSWpnaGx3VlE5aGlwY1cydDdRRFV6c2YzNVpoMFhNc25CUwppVnVwbTlGVm9vZ2RqQW8xVktNS080RzJHaTJWMjc1a2VPeXFzWFlaRmFsM2k0S2djc2gveFdqQjZqWW5YcDZXCkE1bWtFdmNFdGRRVXJTQUw0bUFxNVVpOHlaZjNLTmZLVmdjc3psUzFYYVlEaVJWL0J4a2JBVnNDZ1lFQTE3YmQKVWZ6NzVUSXB2cGNOUGNhTGFTWUlWejZ4cnMvMHVpRkY3MlRxSHFUTmRrdVpkTXNhME5DUCtIcEFDbXRJNm9kRgpYd2MyK0V0aW9pcEttVm83VThZNlVOVXlJS2x3UHUzcEFucUhxN0M0eTN6S2FuMThsS1I0V0h0cmovM09SdjcxCnZPUkxKOWZoL1RqV054VG91dDFmNU4rYy94Y3pTbFZZUkhFSzlyOENnWUVBeTEwa29SSEtyL3l1N2N3TWkvQloKWXJyZVkvMzR1TEVKUmdESlN1M012d3lhUW05anF3TENyOEdtcWRBUVkzUGdLT1BEanRqcjk5SWZSVmdaWnJkVwpPWmxrU1JtZkxjUUltZEVXTHZHWElLM0x1VGhPRGo5VkNxY1lVNjMwR3RKRUc1d2l0Q09RQXR1V0JocERLWCsrCmxudzJQSG5BdHhXUmFGL0dkRlpnb1lzQ2dZQXdQWFRCSVJJejcwUG1tMkVhcjR2OXQ4T2x2eDk5T0lSQ0c2N0kKR29sQTBSb2hta1ozRi9TblBmejBWR0o5OGdBY2NxUFEzSXd1ZXExVUZxRVlLbFdhSm5wa0dVbGNoSWZWaXQ3UQo3eFhvRDExRUpHUWY3SEF2elpnY01YMmNkZVhyZXBqNTVSUHBsUjIwdzBFa2tFaDdnWVl3YU5Gek9uejk0cGdhCnRpejlnUUtCZ1FDY3NrWlFuMVg4MlNCY0ZPUDJNN0pWN0NpaW9VVm5LRXZZS3RhMmhHbDlVWWlvQkRzd0FxVzUKdFJIYVRGUi9NNzlRd21RTktnNVRUZm45eGVHakJtT1I4RnhhaVVKV09EWGpvZ2FEZzAyQ2RyQUxpbW1UV3k4UAp3cTZQYzZHVGtTN2dYTVlEYnFxc1o0RWs2OWxvT3ZBNVF2WTB4c0I0Sm03WUFjWEJHL2hvNEE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

1. kubectl --kubeconfig /etc/kubernetes/ssl/kubecfg-kube-node.yaml 这个是集群配置信息kubeconfig

1.1  通过kubeconfig查看集群信息

[root@localhost ~]# kubectl config --kubeconfig /etc/kubernetes/ssl/kubecfg-kube-node.yaml view
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/ssl/kube-ca.pem
    server: https://127.0.0.1:6443
  name: local
contexts:
- context:
    cluster: local
    user: kube-node-local
  name: local
current-context: local
kind: Config
preferences: {}
users:
- name: kube-node-local
  user:
    client-certificate: /etc/kubernetes/ssl/kube-node.pem
    client-key: /etc/kubernetes/ssl/kube-node-key.pem
[root@localhost ~]# kubectl config --kubeconfig /etc/kubernetes/ssl/kubecfg-kube-node.yaml   get-contexts
CURRENT   NAME    CLUSTER   AUTHINFO          NAMESPACE
*         local   local     kube-node-local   
[root@localhost ~]# kubectl config --kubeconfig /etc/kubernetes/ssl/kubecfg-kube-node.yaml   get-clusters
NAME
local

1.2 获取configmap 在kube-system空间下,就是对集群正常操作

[root@localhost ~]# kubectl --kubeconfig /etc/kubernetes/ssl/kubecfg-kube-node.yaml get configmap -n kube-system
NAME                                 DATA   AGE
calico-config                        4      50d
coredns                              1      50d
coredns-autoscaler                   1      50d
extension-apiserver-authentication   6      50d
full-cluster-state                   1      50d
rke-coredns-addon                    1      50d
rke-ingress-controller               1      50d
rke-metrics-addon                    1      50d
rke-network-plugin                   1      50d

1.3 基于1.2 获取configmap full-cluster-state -o json 信息以json格式展示

[root@localhost ~]# kubectl --kubeconfig /etc/kubernetes/ssl/kubecfg-kube-node.yaml get configmap full-cluster-state -o json  -n kube-system

1.4 把ip换成local的ip127.0.0.1

kubectl --kubeconfig /etc/kubernetes/ssl/kubecfg-kube-node.yaml get configmap   -n kube-system full-cluster-state   -o json | jq -r .data.\"full-cluster-state\" | jq   -r .currentState.certificatesBundle.\"kube-admin\".config | sed   -e "/^[[:space:]]*server:/ s_:.*_: \"https://127.0.0.1:6443\"_"

1.5 其实1.4 就已经可以了。1.5只是在新运行的racnher-agent且用的是k8s集群的ssl 查找的kubeconfig文件。

docker run --rm --net=host -v /etc/kubernetes/ssl:/etc/kubernetes/ssl:ro  --entrypoint bash harbor.jettech.com/rancher/rancher-agent:v2.3.6 -c 'kubectl --kubeconfig /etc/kubernetes/ssl/kubecfg-kube-node.yaml get configmap   -n kube-system full-cluster-state   -o json | jq -r .data.\"full-cluster-state\" | jq   -r .currentState.certificatesBundle.\"kube-admin\".config | sed   -e "/^[[:space:]]*server:/ s_:.*_: \"https://127.0.0.1:6443\"_"'

(2) 下面是kubectl色思路,把上面生成的kube_config_cluster.yml文件复制到

[root@jettoloader ~]# cp kube_config_cluster.yml ~/.kube/config
[root@localhost aaa]# kubectl get nodes
NAME           STATUS     ROLES                      AGE   VERSION
172.16.10.15   NotReady   worker                     50d   v1.17.4
172.16.10.87   NotReady   controlplane,etcd,worker   50d   v1.17.4

接下来就是在rancher中import外部集群即可。导入集群有个主意事项

1.在rancher新建集群-->导入方式--->然后下载。【如果内网情况】

[root@localhost ~]# wget --no-check-certificate  https://172.16.10.87:8443/v3/import/qdb2r7whtc9zcprltckr6bvdzd7kvtmdc8lz92g8x6fcjjmr88c66b.yaml

修改

image: rancher/rancher-agent:v2.3.6
为内网私有镜像源

导入方式页面没看到加新节点操作

登录并创建API密钥

在Rancher 1.x中,默认情况下没有启用认证。启动rancher/server容器后,用户无需任何凭据就可以访问API / UI。在Rancher 2.0中,我们用默认用户名和密码管理来启用身份验证。登录后,我们将获得一个不记名的token,我们可以用它来更改密码。更改密码后,我们将创建一个API密钥以执行其他请求。API密钥也是一个不记名token,我们称其为用于自动化目的的自动化。

下面你是命令方方式添加新节点

登录

rancher的用户名和密码
[root@localhost ~]# LOGINRESPONSE=$(curl -s 'https://172.16.10.87:8443/v3-public/localProviders/local?action=login' -H 'content-type: application/json' --data-binary '{"username":"admin","password":"123456aA"}' --insecure

[root@localhost ~]# echo $LOGINRESPONSE
{"authProvider":"local","baseType":"token","clusterId":null,"created":"2022-01-21T02:45:55Z","createdTS":1642733155000,"creatorId":null,"current":false,"description":"","enabled":true,"expired":false,"expiresAt":"","groupPrincipals":null,"id":"token-wtpqv","isDerived":false,"labels":{"authn.management.cattle.io/kind":"session","authn.management.cattle.io/token-userId":"user-9hzqx","cattle.io/creator":"norman"},"lastUpdateTime":"","links":{"self":"https://172.16.10.87:8443/v3-public/tokens/token-wtpqv"},"name":"token-wtpqv","token":"token-wtpqv:dspwbm4p889gnx5482wwhszm2rngmkflpxlcj9rmjtkdjxst7qj4x5","ttl":57600000,"type":"token","userId":"user-9hzqx","userPrincipal":"map[displayName:Default Admin loginName:admin me:true metadata:map[creationTimestamp:\u003cnil\u003e name:local://user-9hzqx] principalType:user provider:local]","uuid":"4150599c-7a64-11ec-b842-0242ac110002"}


截取token
[root@localhost ~]# LOGINTOKEN=$(echo $LOGINRESPONSE | jq -r .token)
[root@localhost ~]# echo $LOGINTOKEN
token-wtpqv:dspwbm4p889gnx5482wwhszm2rngmkflpxlcj9rmjtkdjxst7qj4x5

更改密码(将密码改为thisisyournewpassword)

[root@localhost ~]# curl -s 'https://172.16.10.87:8443/v3/users?action=changepassword' -H 'content-type: application/json' -H "Authorization: Bearer $LOGINTOKEN" --data-binary '{"currentPassword":"123456aA","newPassword":"123456789"}' --insecure

创建API密钥

[root@localhost ~]# APIRESPONSE=$(curl -s 'https://172.16.10.87:8443/v3/token' -H 'content-type: application/json' -H "Authorization: Bearer $LOGINTOKEN" --data-binary '{"type":"token","deion":"automation"}' --insecure)
[root@localhost ~]# echo $APIRESPONSE
{"authProvider":"local","baseType":"token","clusterId":null,"created":"2022-01-21T02:53:57Z","createdTS":1642733637000,"creatorId":null,"current":false,"description":"","enabled":true,"expired":false,"expiresAt":"","groupPrincipals":null,"id":"token-ks7fs","isDerived":true,"labels":{"authn.management.cattle.io/token-userId":"user-9hzqx","cattle.io/creator":"norman"},"lastUpdateTime":"","links":{"remove":"https://172.16.10.87:8443/v3/tokens/token-ks7fs","self":"https://172.16.10.87:8443/v3/tokens/token-ks7fs","update":"https://172.16.10.87:8443/v3/tokens/token-ks7fs"},"name":"token-ks7fs","token":"token-ks7fs:c4hnkt5mlrvjtll4w9bfpwqhgt22r82xtlsl7tqmjqvsn9v6pqszzd","ttl":0,"type":"token","userId":"user-9hzqx","userPrincipal":"map[displayName:Default Admin loginName:admin me:true metadata:map[creationTimestamp:\u003cnil\u003e name:local://user-9hzqx] principalType:user provider:local]","uuid":"6102c7d9-7a65-11ec-b842-0242ac110002"}
[root@localhost ~]# APITOKEN=$(echo $APIRESPONSE | jq -r .token)
[root@localhost ~]# echo $APITOKEN
token-ks7fs:c4hnkt5mlrvjtll4w9bfpwqhgt22r82xtlsl7tqmjqvsn9v6pqszzd

创建集群

生成API密钥匙后,就可以开始创建集群了。创建集群时,您有3个选项:

›启动一个云集群(谷歌Kubernetes Engine/GKE)

›创建一个集群(用我们自己的Kubernetes安装程序,Rancher Kubernetes Engine)

›导入现有集群(如果您已经有了Kubernetes集群,则可以通过从该集群插入kubeconfig文件导入)

拿本文来说,我们将使用Rancher Kubernetes Engine (rke)创建一个集群。当您创建一个集群时,可以选择在创建集群时直接创建新节点(通过从像DigitalOcean / Amazon这样的云提供商创建节点)或使用已存在的节点,并让Rancher用SSH凭证连接到节点。我们在本文中讨论的方法(通过运行docker run命令添加节点)仅在创建集群之后才可用。

您可以使用以下命令创建集群(您的新集群)。如您所见,此处仅包含参数ignoreDockerVersion(忽略Kubernetes不支持的Docker版本)。其余的将是默认的,我们将会在后续文章中讨论。在此之前,您可以通过UI发现可配置选项。

[root@localhost ~]# CLUSTERRESPONSE=$(curl -s 'https://172.16.10.87:8443/v3/cluster' -H 'content-type: application/json' -H "Authorization: Bearer $APITOKEN" --data-binary '{"type":"cluster","nodes":[],"rancherKubernetesEngineConfig":{"ignoreDockerVersion":true},"name":"wubo"}' --insecure)



[root@localhost ~]# echo $CLUSTERRESPONSE
{"actions":{"backupEtcd":"https://172.16.10.87:8443/v3/clusters/c-4dpq4?action=backupEtcd","enableMonitoring":"https://172.16.10.87:8443/v3/clusters/c-4dpq4?action=enableMonitoring","exportYaml":"https://172.16.10.87:8443/v3/clusters/c-4dpq4?action=exportYaml","generateKubeconfig":"https://172.16.10.87:8443/v3/clusters/c-4dpq4?action=generateKubeconfig","importYaml":"https://172.16.10.87:8443/v3/clusters/c-4dpq4?action=importYaml","restoreFromEtcdBackup":"https://172.16.10.87:8443/v3/clusters/c-4dpq4?action=restoreFromEtcdBackup","rotateCertificates":"https://172.16.10.87:8443/v3/clusters/c-4dpq4?action=rotateCertificates","runSecurityScan":"https://172.16.10.87:8443/v3/clusters/c-4dpq4?action=runSecurityScan","saveAsTemplate":"https://172.16.10.87:8443/v3/clusters/c-4dpq4?action=saveAsTemplate"},"annotations":{},"appliedEnableNetworkPolicy":false,"baseType":"cluster","clusterTemplateId":null,"clusterTemplateRevisionId":null,"conditions":[{"status":"True","type":"Pending"},{"status":"Unknown","type":"Provisioned"},{"status":"Unknown","type":"Waiting"}],"created":"2022-01-21T02:56:46Z","createdTS":1642733806000,"creatorId":"user-9hzqx","defaultClusterRoleForProjectMembers":null,"defaultPodSecurityPolicyTemplateId":null,"dockerRootDir":"/var/lib/docker","enableClusterAlerting":false,"enableClusterMonitoring":false,"enableNetworkPolicy":false,"id":"c-4dpq4","internal":false,"istioEnabled":false,"labels":{"cattle.io/creator":"norman"},"links":{"apiServices":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/apiservices","clusterAlertGroups":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/clusteralertgroups","clusterAlertRules":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/clusteralertrules","clusterAlerts":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/clusteralerts","clusterCatalogs":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/clustercatalogs","clusterLoggings":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/clusterloggings","clusterMonitorGraphs":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/clustermonitorgraphs","clusterRegistrationTokens":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/clusterregistrationtokens","clusterRoleTemplateBindings":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/clusterroletemplatebindings","clusterScans":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/clusterscans","etcdBackups":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/etcdbackups","namespaces":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/namespaces","nodePools":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/nodepools","nodes":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/nodes","notifiers":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/notifiers","persistentVolumes":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/persistentvolumes","projects":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/projects","remove":"https://172.16.10.87:8443/v3/clusters/c-4dpq4","self":"https://172.16.10.87:8443/v3/clusters/c-4dpq4","shell":"wss://172.16.10.87:8443/v3/clusters/c-4dpq4?shell=true","storageClasses":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/storageclasses","subscribe":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/subscribe","templates":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/templates","tokens":"https://172.16.10.87:8443/v3/clusters/c-4dpq4/tokens","update":"https://172.16.10.87:8443/v3/clusters/c-4dpq4"},"name":"wubo","rancherKubernetesEngineConfig":{"addonJobTimeout":30,"ignoreDockerVersion":true,"kubernetesVersion":"v1.17.4-rancher1-2","services":{"etcd":{"backupConfig":{"enabled":true,"intervalHours":12,"retention":6,"s3BackupConfig":null,"safeTimestamp":false,"type":"/v3/schemas/backupConfig"},"creation":"12h","extraArgs":{"election-timeout":"5000","heartbeat-interval":"500"},"gid":0,"retention":"72h","snapshot":false,"type":"/v3/schemas/etcdService","uid":0},"type":"/v3/schemas/rkeConfigServices"},"sshAgentAuth":false,"type":"/v3/schemas/rancherKubernetesEngineConfig"},"state":"provisioning","transitioning":"yes","transitioningMessage":"","type":"cluster","uuid":"c5b129a2-7a65-11ec-b842-0242ac110002","windowsPreferedCluster":false}


集群id
[root@localhost ~]# CLUSTERID=$(echo $CLUSTERRESPONSE | jq -r .id)
[root@localhost ~]# echo $CLUSTERID
c-96t4g

注意此处是可以添加参数的,比如镜像是否私有,私有的话地址用户和密码,网络,可用端口范围 等等

加参数 私有仓库

[root@localhost ~]# cat args 
{
    "name": "wubo",
    "type": "cluster",
    "nodes": [],  
    "rancherKubernetesEngineConfig": {
        "ignoreDockerVersion": "true",
        "private_registries": {
           "is_default": "true",
           "password": "Harbor12345",
           "url": "harbor.jettech.com",
           "user": "admin"
        }
    }
}

[root@localhost ~]# CLUSTERRESPONSE=$(curl -s 'https://172.16.10.87:8443/v3/cluster' -H 'content-type: application/json' -H "Authorization: Bearer $APITOKEN" --data-binary "$(cat args)" --insecure)
[root@localhost ~]# CLUSTERID=$(echo $CLUSTERRESPONSE | jq -r .id)
[root@localhost ~]# echo $CLUSTERID
c-t6tdv

这个是rancher创建集群的模板文件,可以参考这个模板文件转换为json文件 

# 
# Cluster Config
# 
docker_root_dir: /var/lib/docker
enable_cluster_alerting: false
enable_cluster_monitoring: false
enable_network_policy: false
local_cluster_auth_endpoint:
  enabled: true
name: wubo
# 
# Rancher Config
# 
rancher_kubernetes_engine_config:
  addon_job_timeout: 30
  authentication:
    strategy: x509
  ignore_docker_version: true
# 
#   # 当前仅支持nginx的ingress
#   # 设置`provider: none`禁用ingress控制器
#   # 通过node_selector可以指定在某些节点上运行ingress控制器,例如: 
#      provider: nginx
#      node_selector:
#        app: ingress
# 
  ingress:
    provider: nginx
  kubernetes_version: v1.17.4-rancher1-2
  monitoring:
    provider: metrics-server
# 
#   # 如果您在AWS上使用calico
# 
#      network:
#        plugin: calico
#        calico_network_provider:
#          cloud_provider: aws
# 
#   # 指定flannel网络接口
# 
#      network:
#        plugin: flannel
#        flannel_network_provider:
#          iface: eth1
# 
#   # 指定canal网络插件的flannel网络接口
# 
#      network:
#        plugin: canal
#        canal_network_provider:
#          iface: eth1
# 
  network:
    mtu: 0
    options:
      flannel_backend_type: vxlan
    plugin: canal
  private_registries:
    - is_default: true
      password: Harbor12345
      url: harbor.jettech.com
      user: admin
# 
#  # 自定义服务参数,仅适用于Linux环境
#      services:
#        kube-api:
#          service_cluster_ip_range: 10.43.0.0/16
#          extra_args: 
#            watch-cache: true   
#        kube-controller:
#          cluster_cidr: 10.42.0.0/16
#          service_cluster_ip_range: 10.43.0.0/16
#          extra_args:     
#            # 修改每个节点子网大小(cidr掩码长度),默认为24,可用IP为254个;23,可用IP为510个;22,可用IP为1022个;
#            node-cidr-mask-size: 24  
#            # 控制器定时与节点通信以检查通信是否正常,周期默认5s  
#            node-monitor-period: '5s'  
#            # 当节点通信失败后,再等一段时间kubernetes判定节点为notready状态。这个时间段必须是kubelet的nodeStatusUpdateFrequency(默认10s)的N倍,其中N表示允许kubelet同步节点状态的重试次数,默认40s。
#            node-monitor-grace-period: '20s' 
#            # 再持续通信失败一段时间后,kubernetes判定节点为unhealthy状态,默认1m0s。
#            node-startup-grace-period: '30s' 
#            # 再持续失联一段时间,kubernetes开始迁移失联节点的Pod,默认5m0s。
#            pod-eviction-timeout: '1m'   
#        kubelet:
#          cluster_domain: cluster.local
#          cluster_dns_server: 10.43.0.10
#          # 扩展变量 
#          extra_args:
#            # 与apiserver会话时的并发数,默认是10 
#            kube-api-burst: '30'      
#            # 与apiserver会话时的 QPS,默认是5   
#            kube-api-qps: '15'  
#            # 修改节点最大Pod数量
#            max-pods: '250' 
#            # secrets和configmaps同步到Pod需要的时间,默认一分钟
#            sync-frequency: '3s'
#            # kubelet默认一次拉取一个镜像,设置为false可以同时拉取多个镜像,前提是存储驱动要为overlay2,对应的Docker也需要增加下载并发数
#            serialize-image-pulls: false  
#            # 拉取镜像的最大并发数,registry-burst不能超过registry-qps ,仅当registry-qps大于0(零)时生效,(默认10)。如果registry-qps为0则不限制(默认5)。
#            registry-burst: '10' 
#            registry-qps: '0'   
#            # 以下配置用于配置节点资源预留和限制  
#            cgroups-per-qos: 'true'   
#            cgroup-driver: cgroupfs   
#            # 以下两个参数指明为相关服务预留多少资源,仅用于调度,不做实际限制
#            system-reserved: 'memory=300Mi'   
#            kube-reserved: 'memory=2Gi'  
#            enforce-node-allocatable: 'pods'  
#            # 硬驱逐阈值,当节点上的可用资源少于这个值时,就会触发强制驱逐。强制驱逐会强制kill掉POD,不会等POD自动退出。
#            eviction-hard: 'memory.available<300Mi,nodefs.available<10%,imagefs.available<15%,nodefs.inodesFree<5%'   
#            # 软驱逐阈值  
#            ## 以下四个参数配套使用,当节点上的可用资源少于这个值时但大于硬驱逐阈值时候,会等待eviction-soft-grace-period设置的时长;
#            ## 等待中每10s检查一次,当最后一次检查还触发了软驱逐阈值就会开始驱逐,驱逐不会直接Kill POD,先发送停止信号给POD,然后等待eviction-max-pod-grace-period设置的时长; 
#            ## 在eviction-max-pod-grace-period时长之后,如果POD还未退出则发送强制kill POD
#            eviction-soft: 'memory.available<500Mi,nodefs.available<50%,imagefs.available<50%,nodefs.inodesFree<10%'   
#            eviction-soft-grace-period: 'memory.available=1m30s'    
#            eviction-max-pod-grace-period: '30'      
#            ## 当处于驱逐状态的节点不可调度,当节点恢复正常状态后
#            eviction-pressure-transition-period: '5m0s'       
#        extra_binds:      
#          - "/usr/libexec/kubernetes/kubelet-plugins:/usr/libexec/kubernetes/kubelet-plugins"    
#          - "/etc/iscsi:/etc/iscsi"     
#          - "/sbin/iscsiadm:/sbin/iscsiadm"       
#        etcd:     
#          # 修改空间配额为$((4*1024*1024*1024)),默认2G,最大8G    
#          extra_args:
#            quota-backend-bytes: '4294967296'        
#            auto-compaction-retention: 240 #(单位小时)      
#        kubeproxy:    
#          extra_args:     
#          # 默认使用iptables进行数据转发    
#            proxy-mode: ""    # 如果要启用ipvs,则此处设置为`ipvs` 
# 
  services:
    etcd:
      backup_config:
        enabled: true
        interval_hours: 12
        retention: 6
        safe_timestamp: false
      creation: 12h
      extra_args:
        election-timeout: 5000
        heartbeat-interval: 500
      gid: 0
      retention: 72h
      snapshot: false
      uid: 0
    kube_api:
      always_pull_images: false
      pod_security_policy: false
      service_node_port_range: 30000-32767
    kubelet:
      cluster_domain: jettech.com
  ssh_agent_auth: false
windows_prefered_cluster: false

 运行这些代码之后,您应该在UI中看到您的新集群了。由于没有添加节点,集群状态将是“等待节点配置或等待有效配置”。

组装docker run命令以启动rancher/agent

添加节点的最后一部分是启动rancher/agent容器,该容器将把节点添加到集群中。为此,我们需要:

›与Rancher版本耦合的代理镜像

›节点(etcd和/或控制面板和/或工作人员)

›可以到达rancher/server容器的地址

›代理所使用的加入集群的集群token

›CA证书的校验和

可以从API的设置端点检索代理镜像:

[root@localhost ~]# AGENTIMAGE=$(curl -s -H "Authorization: Bearer $APITOKEN" https://172.16.10.87:8443/v3/settings/agent-image --insecure | jq -r .value)
[root@localhost ~]# echo $AGENTIMAGE
rancher/rancher-agent:v2.3.6

节点的角色,您可以自己决定。(在本例中,我们将使用全部三种角色):

ROLEFLAGS="--etcd --controlplane --worker"

可以到达rancher/server容器的地址应该是自解的,rancher/agent将连接到该端点。

[root@localhost ~]# RANCHERSERVER="https://172.16.10.87:8443"

集群token可以从创建的集群中检索。我们在CLUSTERID中保存了创建的clusterid,随后可以用它生成一个token。

[root@localhost ~]# AGENTTOKEN=$(curl -s 'https://172.16.10.87:8443/v3/clusterregistrationtoken' -H 'content-type: application/json' -H "Authorization: Bearer $APITOKEN" --data-binary '{"type":"clusterRegistrationToken","clusterId":"'$CLUSTERID'"}' --insecure | jq -r .token)
[root@localhost ~]# echo $AGENTTOKEN
48v2k7gw2vng7zwh9n9lj4m78vplf2h4s4zqhtglzm74gv6pgxrfmh

生成的CA证书也存储在API中,并可以按如下所示进行检索,这时可以添加sha256sum来生成我们需要加入集群的校验和。

[root@localhost ~]# CACHECKSUM=$(curl -s -H "Authorization: Bearer $APITOKEN" https://172.16.10.87:8443/v3/settings/cacerts --insecure | jq -r .value | sha256sum | awk '{ print $1 }')
[root@localhost ~]# echo $CACHECKSUM
c1bfa78ba60bad860216f7757c2a045c94b6d5191ff4268add37dede20265330

加入集群所需的所有数据现在都可用,我们只需组装该命令。

[root@localhost ~]# AGENTCOMMAND="docker run -d --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock --net=host $AGENTIMAGE $ROLEFLAGS --server $RANCHERSERVER --token $AGENTTOKEN --ca-checksum $CACHECKSUM"


执行上述命令
[root@localhost ~]# 

Unable to find image 'rancher/rancher-agent:v2.3.6' locally
v2.3.6: Pulling from rancher/rancher-agent
Digest: sha256:4913a649dcad32fd0a48ab6442192f441b573f76e22db316468690f269ac5d00
Status: Downloaded newer image for rancher/rancher-agent:v2.3.6

最后一个命令(echo $AGENTCOMMAND)应该是这样的

docker run -d --privileged --restart=unless-stopped --net=host -v /etc/kubernetes:/etc/kubernetes -v /var/run:/var/run rancher/rancher-agent:v2.3.6 --server https://172.16.10.87:8443 --token qf7tsj22qjhq5px2x25m29r2b57lrgzmpdmzzcbcqz2kcg6vkfr42z --ca-checksum c1bfa78ba60bad860216f7757c2a045c94b6d5191ff4268add37dede20265330 --node-name 172.16.10.87 --etcd --controlplane --worker --label diskType=dev --taints NoDiskType=NoDev:NoSchedule


[root@localhost ~]# echo $AGENTCOMMAND
docker run -d --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock --net=host harbor.jettech.com/rancher/rancher-agent:v2.3.6 --etcd --controlplane --worker --server https://172.16.10.87:8443 --token vnsg4c7hbvzkt9t44z6pkxzk2r95z678jps9fhmdctwlph7bkhqpws --ca-checksum 275e0ea1c549581e0b612c77269f3cab25e4d6375512ff358d9cd01b757220b1

[root@localhost ~]# docker run -d --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock --net=host harbor.jettech.com/rancher/rancher-agent:v2.3.6 --etcd --controlplane --worker --server https://172.16.10.87:8443 --token vnsg4c7hbvzkt9t44z6pkxzk2r95z678jps9fhmdctwlph7bkhqpws --ca-checksum 275e0ea1c549581e0b612c77269f3cab25e4d6375512ff358d9cd01b757220b1
421c030ad7bd034a02e98baaa41dc211cb0d140e1f7e258d43e6d64622ce05aa

在节点上运行此命令后,您应该可以看到它加入了集群并由Rancher进行配置。

Protip:这些token也可以直接用作基本身份验证,例如:

curl -u $APITOKEN  https://172.16.10.87:8443/v3/settings --insecure

Rancher 2.0 Tech Preview 2自动化的第一步。

Rancher 2.0 Tech Preview 3即将发布

上面整理在一起的

[root@localhost work]# cat wubo
1. 登录
LOGINRESPONSE=$(curl -s 'https://172.16.10.87:8443/v3-public/localProviders/local?action=login' -H 'content-type: application/json' --data-binary '{"username":"admin","password":"123456aA"}' --insecure)
登录TOKEN
LOGINTOKEN=$(echo $LOGINRESPONSE | jq -r .token)


2. 更改密码
curl -s 'https://172.16.10.87:8443/v3/users?action=changepassword' -H 'content-type: application/json' -H "Authorization: Bearer $LOGINTOKEN" --data-binary '{"currentPassword":"123456aA","newPassword":"wuqi413l"}' --insecure

3. 创建API密钥
APIRESPONSE=$(curl -s 'https://172.16.10.87:8443/v3/token' -H 'content-type: application/json' -H "Authorization: Bearer $LOGINTOKEN" --data-binary '{"type":"token","deion":"automation"}' --insecure)
APITOKEN=$(echo $APIRESPONSE | jq -r .token)


4. 创建集群
CLUSTERRESPONSE=$(curl -s 'https://172.16.10.87:8443/v3/cluster' -H 'content-type: application/json' -H "Authorization: Bearer $APITOKEN" --data-binary '{"type":"cluster","nodes":[],"rancherKubernetesEngineConfig":{"ignoreDockerVersion":true},"name":"wubo"}' --insecure)

CLUSTERRESPONSE=$(curl -s 'https://172.16.10.87:8443/v3/cluster' -H 'content-type: application/json' -H "Authorization: Bearer $APITOKEN" --data-binary "$(cat args)" --insecure)

CLUSTERID=$(echo $CLUSTERRESPONSE | jq -r .id)

5. 可以从API的设置端点检索代理镜像:
AGENTIMAGE=$(curl -s -H "Authorization: Bearer $APITOKEN" https://172.16.10.87:8443/v3/settings/agent-image --insecure | jq -r .value)
AGENTIMAGE=harbor.jettech.com/rancher/rancher-agent:v2.3.6


6. 节点的角色,您可以自己决定。(在本例中,我们将使用全部三种角色)
ROLEFLAGS="--etcd --controlplane --worker"

7. 可以到达rancher/server容器的地址应该是自解的,rancher/agent将连接到该端点。
RANCHERSERVER="https://172.16.10.87:8443"

8. 集群token可以从创建的集群中检索。我们在CLUSTERID中保存了创建的clusterid,随后可以用它生成一个token
AGENTTOKEN=$(curl -s 'https://172.16.10.87:8443/v3/clusterregistrationtoken' -H 'content-type: application/json' -H "Authorization: Bearer $APITOKEN" --data-binary '{"type":"clusterRegistrationToken","clusterId":"'$CLUSTERID'"}' --insecure | jq -r .token)

9. 生成的CA证书也存储在API中,并可以按如下所示进行检索,这时可以添加sha256sum来生成我们需要加入集群的校验和。
CACHECKSUM=$(curl -s -H "Authorization: Bearer $APITOKEN" https://172.16.10.87:8443/v3/settings/cacerts --insecure | jq -r .value | sha256sum | awk '{ print $1 }')

10. 加入集群所需的所有数据现在都可用,我们只需组装该命令。
AGENTCOMMAND="docker run -d --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock --net=host $AGENTIMAGE $ROLEFLAGS --server $RANCHERSERVER --token $AGENTTOKEN --ca-checksum $CACHECKSUM"

使用脚本创建自定义集群:

1. 创建自定义集群

复制并保存以下内容为脚本文件,修改前三行api_urltokencluster_name,然后执行脚本。

[root@localhost work]# cat ~/wubo/netranchercluster.sh
#!/bin/bash
api_url='https://xxx.domain.com'
api_token='token-5zgl2:tcj5nvfq67rf55r7xxxxxxxxxxx429xrwd4zx'
cluster_name=''
kubernetes_Version='v1.13.5-rancher1-2'
network_plugin='canal'
quota_backend_bytes=${quota_backend_bytes:-6442450944}
auto_compaction_retention=${auto_compaction_retention:-240}
ingress_provider=${ingress_provider:-nginx}
ignoreDocker_Version=${ignoreDocker_Version:-true}
monitoring_provider=${monitoring_provider:-metrics-server}
service_NodePort_Range=${service_NodePort_Range:-'30000-32767'}
create_Cluster=true
add_Node=true
create_cluster_data()
{
  cat <<EOF
{
    "amazonElasticContainerServiceConfig": null,
    "azureKubernetesServiceConfig": null,
    "dockerRootDir": "/var/lib/docker",
    "enableClusterAlerting": false,
    "enableClusterMonitoring": false,
    "googleKubernetesEngineConfig": null,
    "localClusterAuthEndpoint": {
        "enabled": true,
        "type": "/v3/schemas/localClusterAuthEndpoint"
    },
    "name": "$cluster_name",
    "rancherKubernetesEngineConfig": {
        "addonJobTimeout": 30,
        "addonsInclude":[ "https://raw.githubusercontent.com/rook/rook/master/cluster/examples/kubernetes/ceph/operator.yml"
        ],
        "authentication": {
            "strategy": "x509|webhook",
            "type": "/v3/schemas/authnConfig"
        },
        "authorization": {
            "type": "/v3/schemas/authzConfig"
        },
        "bastionHost": {
            "sshAgentAuth": false,
            "type": "/v3/schemas/bastionHost"
        },
        "cloudProvider": {
            "type": "/v3/schemas/cloudProvider"
        },
        "ignoreDockerVersion": "$ignoreDocker_Version",
        "ingress": {
            "provider": "$ingress_provider",
            "type": "/v3/schemas/ingressConfig"
        },
        "kubernetesVersion": "$kubernetes_Version",
        "monitoring": {
            "provider": "$monitoring_provider",
            "type": "/v3/schemas/monitoringConfig"
        },
        "network": {
            "options": {
                "flannel_backend_type": "vxlan"
            },
            "plugin": "$network_plugin",
            "type": "/v3/schemas/networkConfig"
        },
        "restore": {
            "restore": false,
            "type": "/v3/schemas/restoreConfig"
        },
        "services": {
            "etcd": {
                "backupConfig": {
                    "enabled": true,
                    "intervalHours": 12,
                    "retention": 6,
                    "s3BackupConfig": null,
                    "type": "/v3/schemas/backupConfig"
                },
                "creation": "12h",
                "extraArgs": {
                    "auto-compaction-retention": "$auto_compaction_retention",
                    "election-timeout": "5000",
                    "heartbeat-interval": "500",
                    "quota-backend-bytes": "$quota_backend_bytes"
                },
                "retention": "72h",
                "snapshot": false,
                "type": "/v3/schemas/etcdService"
            },
            "kubeApi": {
                "alwaysPullImages": false,
                "podSecurityPolicy": false,
                "serviceNodePortRange": "$service_NodePort_Range",
                "type": "/v3/schemas/kubeAPIService"
            },
            "kubeController": {
                "extraArgs": {
                    "node-monitor-grace-period": "20s",
                    "node-monitor-period": "5s",
                    "node-startup-grace-period": "30s",
                    "pod-eviction-timeout": "1m"
                },
                "type": "/v3/schemas/kubeControllerService"
            },
            "kubelet": {
                "extraArgs": {
                    "eviction-hard": "memory.available<300Mi,nodefs.available<10%,imagefs.available<15%,nodefs.inodesFree<5%",
                    "kube-api-burst": "30",
                    "kube-api-qps": "15",
                    "kube-reserved": "memory=250Mi",
                    "max-open-files": "2000000",
                    "max-pods": "250",
                    "network-plugin-mtu": "1500",
                    "pod-infra-container-image": "rancher/pause:3.1",
                    "registry-burst": "10",
                    "registry-qps": "0",
                    "serialize-image-pulls": "false",
                    "sync-frequency": "3s",
                    "system-reserved": "memory=250Mi"
                },
                "failSwapOn": false,
                "type": "/v3/schemas/kubeletService"
            },
            "kubeproxy": {
                "type": "/v3/schemas/kubeproxyService"
            },
            "scheduler": {
                "type": "/v3/schemas/schedulerService"
            },
            "type": "/v3/schemas/rkeConfigServices"
        },
        "sshAgentAuth": false,
        "type": "/v3/schemas/rancherKubernetesEngineConfig"
    }
}
EOF
}
curl -k -X POST \
    -H "Authorization: Bearer ${api_token}" \
    -H "Content-Type: application/json" \
    -d "$(create_cluster_data)" $api_url/v3/clusters

本人的

[root@localhost rancher]# cat ranchercluster-init.sh 
#!/bin/bash
api_url='https://172.16.10.87:8443'
api_token='token-m5ngj:s8lkcxrlfdj5lccthw2w958hdvrcmpxnqrtrsh74rsksjtgjn69nkb'
cluster_name='wubo'

create_cluster_data()
{
  cat <<EOF
{
    "name": "wubo",
    "type": "cluster",
    "nodes": [],  
    "rancherKubernetesEngineConfig": {
        "ignoreDockerVersion": "true",
        "private_registries": {
           "is_default": "true",
           "password": "Harbor12345",
           "url": "harbor.jettech.com",
           "user": "admin"
        }
    }
}
EOF
}
curl -k -X POST \
    -H "Authorization: Bearer ${api_token}" \
    -H "Content-Type: application/json" \
    -d "$(create_cluster_data)" $api_url/v3/clusters

2. 生成注册命令,这个只是展示一下而已 第三步才是

复制并保存以下内容为脚本文件,修改前三行api_urltokencluster_name,然后执行脚本。

[root@localhost rancher]# cat b.sh 
#!/bin/bash
api_url='https://172.16.10.87:8443'
api_token='token-m5ngj:s8lkcxrlfdj5lccthw2w958hdvrcmpxnqrtrsh74rsksjtgjn69nkb'
cluster_name='wubo'
# 获取集群ID
cluster_ID=$( curl -s -k -H "Authorization: Bearer ${api_token}" $api_url/v3/clusters | jq -r ".data[] | select(.name == \"$cluster_name\") | .id" )
# 生成注册命令
create_token_data()
{
cat <<EOF
{
"clusterId": "$cluster_ID"
}
EOF
}
curl -k -X POST \
    -H "Authorization: Bearer ${api_token}" \
    -H 'Accept: application/json' \
    -H 'Content-Type: application/json' \
    -d "$(create_token_data)" $api_url/v3/clusterregistrationtokens

3. 获取主机注册命令

复制并保存以下内容为脚本文件,修改前三行api_urltokencluster_name,然后执行脚本。

[root@localhost rancher]# cat get.sh 
#!/bin/bash
api_url='https://172.16.10.87:8443'
api_token='token-m5ngj:s8lkcxrlfdj5lccthw2w958hdvrcmpxnqrtrsh74rsksjtgjn69nkb'
cluster_name='wubo'
cluster_ID=$( curl -s -k -H "Authorization: Bearer ${api_token}" $api_url/v3/clusters | jq -r ".data[] | select(.name == \"$cluster_name\") | .id" )
# nodeCommand
echo "================"
curl -s -k -H "Authorization: Bearer ${api_token}" $api_url/v3/clusters/${cluster_ID}/clusterregistrationtokens | jq -r .data[].nodeCommand
# command
echo "================"
curl -s -k -H "Authorization: Bearer ${api_token}" $api_url/v3/clusters/${cluster_ID}/clusterregistrationtokens | jq -r .data[].command

API - 使用脚本创建自定义集群 - 《Rancher v2.4.4 中文文档》 - 书栈网 · BookStack

Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐