安装

1.1 基础环境配置(所有节点全部执行)

1.1.1 关闭防火墙

systemctl stop firewalld.service
systemctl disable firewalld.service

1.1.2 关闭 selinux

sed -i 's/enforcing/disabled/' /etc/selinux/config

1.1.3 关闭swap

echo "vm.swappiness = 0">> /etc/sysctl.conf 
swapoff -a && swapon -a
sysctl -p

1.1.4 设置主机名称
1.1.4.1 master节点

hostnamectl set-hostname k8s-master

1.1.4.2 node1节点

hostnamectl set-hostname k8s-node1

1.1.4.3 node2节点

hostnamectl set-hostname k8s-node2

1.1.5 修改hosts(注意:修改自己的内网ip)

vim /etc/hosts
在最下方添加内网ip映射
10.0.20.8 k8s-master
10.0.20.2 k8s-node1
10.0.24.14 k8s-node2

1.1.6 将桥接的 IPv4 流量传递到 iptables 的链

cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
vm.swappiness=0
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720         
EOF
 
sysctl --system # 刷新生效

1.1.7 时间同步

yum install ntpdate -y
 
ntpdate time.windows.com

1.2 安装docer(所有节点全部执行)

1.2.1 下载dockerd源

wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
 
yum -y install docker-ce-18.06.1.ce-3.el7
 
systemctl enable docker && systemctl restart docker
 
docker --version

1.2.2 添加阿里云 YUM 软件源

cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"]
} 
EOF

1.2.3 修改docker默认Cgroup驱动

# Docker与K8S同步 systemd,否则会镜像下载失败
docker info | grep Cgroup
vim /usr/lib/systemd/system/docker.service
# 在ExecStart命令中添加
--exec-opt native.cgroupdriver=systemd

1.2.4 刷新配置,重启docker

systemctl daemon-reload
systemctl enable docker && systemctl restart docker
docker info | grep Cgroup

1.3 安装k8s工具(所有节点全部执行)

1.3.2 添加 Kubernetes yum 源

cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

1.3.4 安装 kubeadm, kubelet 和 kubectl

yum install -y kubectl-1.20.5 kubelet-1.20.5 kubeadm-1.20.5
systemctl enable kubelet
systemctl start kubelet

1.4 启动k8s(master节点执行)

1.4.1 初始化master节点

# 执行初始化命令
kubeadm init --apiserver-advertise-address=43.138.76.94 \
--image-repository=registry.aliyuncs.com/google_containers \
--kubernetes-version=v1.20.5 \
--service-cidr=10.10.0.0/16 \
--pod-network-cidr=10.244.0.0/16 \
--ignore-preflight-errors=all 
-----------------------------------------------------------
# 初始化失败几种原因:
1.没有设置master,node节点的hosts映射,找不到hostname。
2.没有关闭防火墙,selinux,swap。
3.没有开启桥接的(IPv4)
4.docker和k8s的Cgroup驱动不一致,下载镜像失败。
尝试执行如下命令:
swapoff -a
kubeadm reset
systemctl daemon-reload
systemctl restart kubelet
iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X 
---------------------------------------------------------------- 
# 深坑:
云主机没有配置公网ip,etcd无法启动,所以kubeadm在初始化会出现”timeout“的错误
解决方法:
开启建立两个ssh对话。
1.一个用来初始化节点,会生成/etc/kubernetes/manifests/etcd.yaml文件
2.另一个在初始化过程中修改etcd.yaml配置文件。
删除"–listen-client-urls"本地后面的的公网ip地址。
修改"–listen-peer-urls"为本地的ip地址。

⚠️注意:初始化完成后会生成一段代码,这段代码用于构建集群

1.4.2 使用 kubectl 工具(配置环境变量)

mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

1.4.3 检查master节点

kubectl get nodes

1.4.3 安装calico网络

kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
报错的话用下面的
[root@k8s-master ~]$ curl https://docs.projectcalico.org/v3.20/manifests/calico.yaml -O

1.4.4 构建集群

# 子节点加入集群(子节点执行)
kubeadm join 10.0.16.4:6443 --token jp4407.58jfq7yzrkg8igo8 \
    --discovery-token-ca-cert-hash sha256:6ff9151ca08e5b74482b5f13fd8f77689180e824e8628a65a6d63efb466dddaa

可能会失败,原因如下:

1. token 过期
# token 24小时会过期,可以重新生成 join 命令 可用来join work节点
kubeadm token create --print-join-command
2. k8s apiserver 不可达
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
systemctl disable firewalld --now
3. 这几台虚拟机的时间不同步
date
yum -y install ntp
ntpdate -u cn.pool.ntp.org

1.4.5 默认k8s的master节点是不能跑pod的业务,需要执行以下命令解除限制

kubectl taint nodes --all node-role.kubernetes.io/master-
 
#如果不允许调度
#kubectl taint nodes master1 node-role.kubernetes.io/master=:NoSchedule
#污点可选参数
      NoSchedule: 一定不能被调度
      PreferNoSchedule: 尽量不要调度
      NoExecute: 不仅不会调度, 还会驱逐Node上已有的Pod

1.5 安装k8s的控制面板

1.5.1 新建kubernetes-dashboard.yaml文件

# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# ------------------- Dashboard Secret ------------------- #

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["create"]
    # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["create"]
    # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics from heapster.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
    verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kube-system

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      nodeSelector:
        type: master
      containers:
        - name: kubernetes-dashboard
          image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.0
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30001
  selector:
    k8s-app: kubernetes-dashboard

1.5.2 安装dashboard

kubectl create -f kubernetes-dashboard

1.5.3 查看 Dashboard 暴露外网端口

kubectl get svc -A | grep kubernetes-dashboard

1.5.4 获取token

1.选择令牌方式获取token:
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard | awk '{print $1}')
 
2. 新建用户,生成token
admin_account="k8s-cyk-admin"
kubectl create serviceaccount ${admin_account} -n kube-system
kubectl create clusterrolebinding ${admin_account} --clusterrole=cluster-admin --serviceaccount=kube-system:${admin_account}
kubectl -n kube-system describe secrets $(kubectl -n kube-system get secret | grep ${admin_account} | awk '{print $1}')

1.5.5 访问dashboard

https://服务器公网IP:30412

卸载

1.1 卸载docker

yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine-selinux \
docker-engine

1.2 卸载k8s

yum remove -y kubelet kubeadm kubectl
kubeadm reset -f
modprobe -r ipip
lsmod
rm -rf ~/.kube/
rm -rf /etc/kubernetes/
rm -rf /etc/systemd/system/kubelet.service.d
rm -rf /etc/systemd/system/kubelet.service
rm -rf /usr/bin/kube*
rm -rf /etc/cni
rm -rf /opt/cni
rm -rf /var/lib/etcd
rm -rf /var/etcd

常用命令

查看命令

# 查看版本
kubectl api-versions
# 查看所有
kubectl get all [ -n namespace]
# 查看所有pod
kubectl get pods [ -n namespace]
# 查看所有deployment
kubectl get deployment [ -n namespace]
# 查看所有service
kubectl get service [ -n namespace]
# 查看所有configmap
kubectl get configmap [ -n namespace]
# 查看所有daemonset
kubectl get daemonset [ -n namespace]
# -n:可选,查看特定命名空间的信息

# 查看日志
kubectl logs <pod-name>
 
# 查看pod描述
kubectl describe pod <pod-name>

创建命令

# 创建命名空间
kubectl create namespace *
# 创建服务
kubectl create -f *.yaml
# 更新服务
kubectl apply -f *.yaml

删除命令

# 删除pod
kubectl delete pod pod_name [ -n namespace]
# 删除deployment
kubectl delete deployment deployment_name [ -n namespace]
# 删除service
kubectl delete service service_name [ -n namespace]
# 删除configmap
kubectl delete configmap configmap_name [ -n namespace]
# 删除daemonset
kubectl delete daemonset daemonset_name [ -n namespace]
# -n:可选,查看特定命名空间的信息

拉取私有镜像仓库

1.docker login 镜像仓库地址(如192.168.1.200:5000)
登陆成功会生成~/.docker/config.json这个文件,里面会记录登陆镜像仓库的认证信息
2.将config.json转换成base64编码
 cat ~/.docker/config.json|base64 -w 0
3.编写my-dockerhub.yaml配置文件
--------------------------------------------------------------------
apiVersion: v1
kind: Secret
metadata:
 name: my-dockerhub
 namespace: default
type: kubernetes.io/dockerconfigjson
data:
 .dockerconfigjson:  填刚才生成的base64编码
--------------------------------------------------------------------
4.运行my-dockerhub.yaml
kubectl apply -f my-dockerhub.yaml
5.在deployment.yaml文件指定Secret
imagePullSecrets:
- name: my-dockerhub
6.查看私有镜像仓库的详细信息
kubectl get secret  my-dockerhub -n default --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
Logo

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐