Centos(云主机)傻瓜式安装k8s
⚠️注意:初始化完成后会生成一段代码,这段代码在。
·
安装
1.1 基础环境配置(所有节点全部执行)
1.1.1 关闭防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service
1.1.2 关闭 selinux
sed -i 's/enforcing/disabled/' /etc/selinux/config
1.1.3 关闭swap
echo "vm.swappiness = 0">> /etc/sysctl.conf
swapoff -a && swapon -a
sysctl -p
1.1.4 设置主机名称
1.1.4.1 master节点
hostnamectl set-hostname k8s-master
1.1.4.2 node1节点
hostnamectl set-hostname k8s-node1
1.1.4.3 node2节点
hostnamectl set-hostname k8s-node2
1.1.5 修改hosts(注意:修改自己的内网ip)
vim /etc/hosts
在最下方添加内网ip映射
10.0.20.8 k8s-master
10.0.20.2 k8s-node1
10.0.24.14 k8s-node2
1.1.6 将桥接的 IPv4 流量传递到 iptables 的链
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
vm.swappiness=0
vm.overcommit_memory=1
vm.panic_on_oom=0
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1
net.netfilter.nf_conntrack_max=2310720
EOF
sysctl --system # 刷新生效
1.1.7 时间同步
yum install ntpdate -y
ntpdate time.windows.com
1.2 安装docer(所有节点全部执行)
1.2.1 下载dockerd源
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
yum -y install docker-ce-18.06.1.ce-3.el7
systemctl enable docker && systemctl restart docker
docker --version
1.2.2 添加阿里云 YUM 软件源
cat > /etc/docker/daemon.json << EOF
{
"registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"]
}
EOF
1.2.3 修改docker默认Cgroup驱动
# Docker与K8S同步 systemd,否则会镜像下载失败
docker info | grep Cgroup
vim /usr/lib/systemd/system/docker.service
# 在ExecStart命令中添加
--exec-opt native.cgroupdriver=systemd
1.2.4 刷新配置,重启docker
systemctl daemon-reload
systemctl enable docker && systemctl restart docker
docker info | grep Cgroup
1.3 安装k8s工具(所有节点全部执行)
1.3.2 添加 Kubernetes yum 源
cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
1.3.4 安装 kubeadm, kubelet 和 kubectl
yum install -y kubectl-1.20.5 kubelet-1.20.5 kubeadm-1.20.5
systemctl enable kubelet
systemctl start kubelet
1.4 启动k8s(master节点执行)
1.4.1 初始化master节点
# 执行初始化命令
kubeadm init --apiserver-advertise-address=43.138.76.94 \
--image-repository=registry.aliyuncs.com/google_containers \
--kubernetes-version=v1.20.5 \
--service-cidr=10.10.0.0/16 \
--pod-network-cidr=10.244.0.0/16 \
--ignore-preflight-errors=all
-----------------------------------------------------------
# 初始化失败几种原因:
1.没有设置master,node节点的hosts映射,找不到hostname。
2.没有关闭防火墙,selinux,swap。
3.没有开启桥接的(IPv4)
4.docker和k8s的Cgroup驱动不一致,下载镜像失败。
尝试执行如下命令:
swapoff -a
kubeadm reset
systemctl daemon-reload
systemctl restart kubelet
iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X
----------------------------------------------------------------
# 深坑:
云主机没有配置公网ip,etcd无法启动,所以kubeadm在初始化会出现”timeout“的错误
解决方法:
开启建立两个ssh对话。
1.一个用来初始化节点,会生成/etc/kubernetes/manifests/etcd.yaml文件
2.另一个在初始化过程中修改etcd.yaml配置文件。
删除"–listen-client-urls"本地后面的的公网ip地址。
修改"–listen-peer-urls"为本地的ip地址。
⚠️注意:初始化完成后会生成一段代码,这段代码用于构建集群
1.4.2 使用 kubectl 工具(配置环境变量)
mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
1.4.3 检查master节点
kubectl get nodes
1.4.3 安装calico网络
kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
报错的话用下面的
[root@k8s-master ~]$ curl https://docs.projectcalico.org/v3.20/manifests/calico.yaml -O
1.4.4 构建集群
# 子节点加入集群(子节点执行)
kubeadm join 10.0.16.4:6443 --token jp4407.58jfq7yzrkg8igo8 \
--discovery-token-ca-cert-hash sha256:6ff9151ca08e5b74482b5f13fd8f77689180e824e8628a65a6d63efb466dddaa
可能会失败,原因如下:
1. token 过期
# token 24小时会过期,可以重新生成 join 命令 可用来join work节点
kubeadm token create --print-join-command
2. k8s apiserver 不可达
setenforce 0
sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
systemctl disable firewalld --now
3. 这几台虚拟机的时间不同步
date
yum -y install ntp
ntpdate -u cn.pool.ntp.org
1.4.5 默认k8s的master节点是不能跑pod的业务,需要执行以下命令解除限制
kubectl taint nodes --all node-role.kubernetes.io/master-
#如果不允许调度
#kubectl taint nodes master1 node-role.kubernetes.io/master=:NoSchedule
#污点可选参数
NoSchedule: 一定不能被调度
PreferNoSchedule: 尽量不要调度
NoExecute: 不仅不会调度, 还会驱逐Node上已有的Pod
1.5 安装k8s的控制面板
1.5.1 新建kubernetes-dashboard.yaml文件
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
nodeSelector:
type: master
containers:
- name: kubernetes-dashboard
image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.0
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard
1.5.2 安装dashboard
kubectl create -f kubernetes-dashboard
1.5.3 查看 Dashboard 暴露外网端口
kubectl get svc -A | grep kubernetes-dashboard
1.5.4 获取token
1.选择令牌方式获取token:
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kubernetes-dashboard | awk '{print $1}')
2. 新建用户,生成token
admin_account="k8s-cyk-admin"
kubectl create serviceaccount ${admin_account} -n kube-system
kubectl create clusterrolebinding ${admin_account} --clusterrole=cluster-admin --serviceaccount=kube-system:${admin_account}
kubectl -n kube-system describe secrets $(kubectl -n kube-system get secret | grep ${admin_account} | awk '{print $1}')
1.5.5 访问dashboard
https://服务器公网IP:30412
卸载
1.1 卸载docker
yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine-selinux \
docker-engine
1.2 卸载k8s
yum remove -y kubelet kubeadm kubectl
kubeadm reset -f
modprobe -r ipip
lsmod
rm -rf ~/.kube/
rm -rf /etc/kubernetes/
rm -rf /etc/systemd/system/kubelet.service.d
rm -rf /etc/systemd/system/kubelet.service
rm -rf /usr/bin/kube*
rm -rf /etc/cni
rm -rf /opt/cni
rm -rf /var/lib/etcd
rm -rf /var/etcd
常用命令
查看命令
# 查看版本
kubectl api-versions
# 查看所有
kubectl get all [ -n namespace]
# 查看所有pod
kubectl get pods [ -n namespace]
# 查看所有deployment
kubectl get deployment [ -n namespace]
# 查看所有service
kubectl get service [ -n namespace]
# 查看所有configmap
kubectl get configmap [ -n namespace]
# 查看所有daemonset
kubectl get daemonset [ -n namespace]
# -n:可选,查看特定命名空间的信息
# 查看日志
kubectl logs <pod-name>
# 查看pod描述
kubectl describe pod <pod-name>
创建命令
# 创建命名空间
kubectl create namespace *
# 创建服务
kubectl create -f *.yaml
# 更新服务
kubectl apply -f *.yaml
删除命令
# 删除pod
kubectl delete pod pod_name [ -n namespace]
# 删除deployment
kubectl delete deployment deployment_name [ -n namespace]
# 删除service
kubectl delete service service_name [ -n namespace]
# 删除configmap
kubectl delete configmap configmap_name [ -n namespace]
# 删除daemonset
kubectl delete daemonset daemonset_name [ -n namespace]
# -n:可选,查看特定命名空间的信息
拉取私有镜像仓库
1.docker login 镜像仓库地址(如192.168.1.200:5000)
登陆成功会生成~/.docker/config.json这个文件,里面会记录登陆镜像仓库的认证信息
2.将config.json转换成base64编码
cat ~/.docker/config.json|base64 -w 0
3.编写my-dockerhub.yaml配置文件
--------------------------------------------------------------------
apiVersion: v1
kind: Secret
metadata:
name: my-dockerhub
namespace: default
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: 填刚才生成的base64编码
--------------------------------------------------------------------
4.运行my-dockerhub.yaml
kubectl apply -f my-dockerhub.yaml
5.在deployment.yaml文件指定Secret
imagePullSecrets:
- name: my-dockerhub
6.查看私有镜像仓库的详细信息
kubectl get secret my-dockerhub -n default --output="jsonpath={.data.\.dockerconfigjson}" | base64 --decode
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
2
0- 0
已为社区贡献1条内容
所有评论(0)