K8S、keepalived、haproxy 高可用集群实战

K8S、keepalived、haproxy 高可用集群实战环境：Centos7.6、2个CPU、8G内存以上配置Master1：172.20.26.24Master2：172.20.26.86Master3：172.20.26.89Node1:172.20.26.104VIP :172.20.26.201

lqcbj

2084人浏览 · 2024-01-25 09:43:35

lqcbj · 2024-01-25 09:43:35 发布

K8S、keepalived、haproxy 高可用集群实战

环境：Centos7.6、2个CPU、8G内存以上配置
Master1：172.20.26.24
Master2：172.20.26.86
Master3：172.20.26.89
Node1: 172.20.26.104

VIP :172.20.26.201

在master1、2、3、Node1上：关闭selinux、firewalld、安装net-tools、lrzsz、vim、epel-release、yum update

一、K8S所有节点（master1、2、3、Node1）Hosts及防火墙设置

Master1、Master2、Master3、node1节点进行如下配置：

#添加hosts解析；

cat >/etc/hosts<<EOF
127.0.0.1 localhost localhost.localdomain
172.20.26.34 master1
172.20.26.36 master2
172.20.26.38 master3
172.20.26.37 node1
EOF

#临时关闭selinux和防火墙；

vim /etc/selinux/config #将状态改为disabled
setenforce 0
systemctl stop firewalld.service
systemctl disable firewalld.service

#同步节点时间；

yum install ntpdate -y
ntpdate pool.ntp.org

#修改对应节点主机名；

hostname `cat /etc/hosts|grep $(ifconfig|grep broadcast|awk '{print $2}')|awk '{print $2}'`;su

#关闭swapoff（因交换分区读写速度无法与内存比，关闭交换分区，确保k8s性能）；

swapoff -a # 临时关闭
sed -ri 's/.*swap.*/#&/' /etc/fstab #永久关闭

二、Linux内核参数设置&优化（master1、2、3、Node1）

让k8s支持IP负载均衡技术：

cat > /etc/modules-load.d/ipvs.conf <<EOF
# Load IPVS at boot
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack_ipv4
EOF

systemctl enable --now systemd-modules-load.service #加载模块

#确认内核模块加载成功

lsmod | grep -e ip_vs -e nf_conntrack_ipv4

如果没有看到信息，可以把机器重启一下就可以了

#安装ipset、ipvsadm

yum install -y ipset ipvsadm

#配置内核参数;（加入桥接转发，让容器能够使用二层网络）

cat <<EOF > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF

sysctl --system

三、配置节点免秘钥登录：

Master1节点作为Master控制节点，执行如下指令创建公钥和私钥，然后将公钥拷贝至其余节点即可

ssh-keygen -t rsa -N '' -f /root/.ssh/id_rsa -q
ssh-copy-id -i /root/.ssh/id_rsa.pub root@master1
ssh-copy-id -i /root/.ssh/id_rsa.pub root@master2
ssh-copy-id -i /root/.ssh/id_rsa.pub root@master3
ssh-copy-id -i /root/.ssh/id_rsa.pub root@node1

四、所有节点安装Docker、kubeadm、kubelet、kubectl （master1、2、3、Node1）

1、安装Docker

# 安装依赖软件包

yum install -y yum-utils device-mapper-persistent-data lvm2

# 添加Docker repository，这里使用国内阿里云yum源

yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

# 安装docker-ce，这里直接安装最新版本

yum install -y docker-ce

#修改docker配置文件

mkdir /etc/docker

cat > /etc/docker/daemon.json <<EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
],
"registry-mirrors": ["https://uyah70su.mirror.aliyuncs.com"]
}
EOF

# 注意，由于国内拉取镜像较慢，配置文件最后增加了registry-mirrors

mkdir -p /etc/systemd/system/docker.service.d

# 重启docker服务

systemctl daemon-reload
systemctl enable docker.service
systemctl start docker.service
ps -ef|grep -aiE docker

2、Kubernetes添加部署源

添加kubernetes源指令如下：

cat>>/etc/yum.repos.d/kubernetes.repo<<EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
EOF

3、K8S Kubeadm

安装Kubeadm工具；

#安装Kubeadm；

yum install -y kubeadm-1.20.4 kubelet-1.20.4 kubectl-1.20.4

#启动kubelet服务（此时启动kubelet 会无法正常启动，可以忽略启动失败）

systemctl enable kubelet.service;systemctl start kubelet.service;systemctl status kubelet.service

Node1节点安装到这即可。

五、Haproxy安装配置（Master1、2、3）

Haproxy安装配置步骤相对比较简单，跟其他源码软件安装方法大致相同，如下为Haproxy配置方法及步骤：

（1）Haproxy编译及安装

#yum安装：
yum install haproxy* -y

#源码编译安装：
yum install wget gcc -y
cd /usr/src
wget -c https://www.haproxy.org/download/2.1/src/haproxy-2.1.12.tar.gz
tar xzf haproxy-2.1.12.tar.gz
cd haproxy-2.1.12
make TARGET=linux310 PREFIX=/usr/local/haproxy/
make install PREFIX=/usr/local/haproxy

（2）配置Haproxy服务

#yum 安装的配置：

cd /usr/local/haproxy
vim haproxy.cfg

#源码编译安装配置：

useradd -s /sbin/nologin haproxy -M
cd /usr/local/haproxy ;mkdir -p etc/
touch /usr/local/haproxy/etc/haproxy.cfg
cd /usr/local/haproxy/etc/
vim /usr/local/haproxy/etc/haproxy.cfg

（3）Haproxy.cfg配置文件内容如下：

global
log /dev/log local0
log /dev/log local1 notice
chroot /usr/local/haproxy
stats socket /usr/local/haproxy/haproxy-admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
nbproc 1
defaults
log global
timeout connect 5000
timeout client 10m
timeout server 10m
listen admin_stats
bind 0.0.0.0:10080
mode http
log 127.0.0.1 local0 err
stats refresh 30s
stats uri /status
stats realm welcome login\ Haproxy
stats auth admin:123456
stats hide-version
stats admin if TRUE
listen kube-master
bind 0.0.0.0:8443
mode tcp
option tcplog
balance source
server master1 172.20.26.24:6443 check inter 2000 fall 2 rise 2 weight 1
server master2 172.20.26.86:6443 check inter 2000 fall 2 rise 2 weight 1
server master3 172.20.26.89:6443 check inter 2000 fall 2 rise 2 weight 1

（4）启动Haproxy服务

/usr/local/haproxy/sbin/haproxy -f /usr/local/haproxy/etc/haproxy.cfg #(源码编译安装）

/usr/local/haproxy/sbin/haproxy -f /usr/local/haproxy/haproxy.cfg #(yum安装方式启动）

ps -ef | grep haproxy #查看haproxy服务状态

将haproxy.cfg 文件拷贝到master2、3，并启动haproxy服务
scp /usr/local/haproxy/etc/haproxy.cfg root@master2:/usr/local/haproxy/etc/
scp /usr/local/haproxy/etc/haproxy.cfg root@master3:/usr/local/haproxy/etc/
查看服务状态：
ps -ef |grep haproxy
systemctl daemon-reload
systemctl enable haproxy
systemctl start haproxy

六、配置Keepalived服务（Master1、2、3）

yum install openssl-devel popt* -y
yum install keepalived* -y

1、配置Haproxy+keepalived

Haproxy+keealived Master1端keepalived.conf配置文件如下：

vim /etc/keepalived/keepalived.conf

! Configuration File for keepalived
global_defs {
notification_email {
lqcbj@163.com
}
notification_email_from lqcbj@163.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id MASTER1
}
vrrp_script chk_haproxy {
script "/data/sh/check_haproxy.sh"
interval 2
weight 2
}
# VIP1
vrrp_instance VI_1 {
state MASTER
interface ens192
virtual_router_id 133
priority 100
advert_int 5
authentication {
auth_type PASS
auth_pass 2222
}
virtual_ipaddress {
172.20.26.201
}
track_script {
chk_haproxy
}
}

2、创建haproxy检查脚本

mkdir -p /data/sh
vim /data/sh/check_haproxy.sh

#check_haproxy.sh脚本内容如下：

#!/bin/bash
#auto check haprox process
#2021-6-24 lqc
NUM=$(ps -ef|grep haproxy|grep -aivcE "grep|check")
if
[[ $NUM -eq 0 ]];then
systemctl stop keepalived.service
fi

#设置可执行权限

chmod +x /data/sh/check_haproxy.sh

#在Master2、Master3上创建sh目录：

mkdir -p /data/sh

#在Master1上将check_haproxy.sh文件从拷贝到Master2、3上：

scp /data/sh/check_haproxy.sh root@master2:/data/sh/
scp /data/sh/check_haproxy.sh root@master3:/data/sh/

#在Master2、Master3上设置可执行权限:

chmod +x /data/sh/check_haproxy.sh

#将keepalived.conf 拷贝到Master2、3上，进行修改router_id、 priority：

scp /etc/keepalived/keepalived.conf root@master2:/etc/keepalived/
scp /etc/keepalived/keepalived.conf root@master3:/etc/keepalived/

#Haproxy+keealived Master2端keepalived.conf配置文件如下：

! Configuration File for keepalived
global_defs {
notification_email {
lqcbj@163.com
}
notification_email_from lqcbj@163.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id MASTER2
}
vrrp_script chk_haproxy {
script "/data/sh/check_haproxy.sh"
interval 2
weight 2
}
# VIP1
vrrp_instance VI_1 {
state BACKUP
interface ens192
virtual_router_id 133
priority 90
advert_int 5
authentication {
auth_type PASS
auth_pass 2222
}
virtual_ipaddress {
172.20.26.201
}
track_script {
chk_haproxy
}
}

Haproxy+keealived Master3端keepalived.conf配置文件如下：

! Configuration File for keepalived
global_defs {
notification_email {
lqcbj@163.com
}
notification_email_from lqcbj@163.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id MASTER3
}
vrrp_script chk_haproxy {
script "/data/sh/check_haproxy.sh"
interval 2
weight 2
}
# VIP1
vrrp_instance VI_1 {
state BACKUP
interface ens192
virtual_router_id 133
priority 80
advert_int 5
authentication {
auth_type PASS
auth_pass 2222
}
virtual_ipaddress {
172.20.26.201
}
track_script {
chk_haproxy
}
}

启动keepalived 服务

systemctl enable keepalived.service && systemctl start keepalived.service && systemctl status keepalived.service

ps -ef | grep keepalived 查看keepalived服务状态

haproxy先启动，keepalived 后启动

如有问题问题，进行排查：

journalctl -xeu kubelet | less 查看kubelet日志
systemctl restart kubelet.service;systemctl status kubelet.service

问题：Keepalived 的状态出现Netlink: filter function error
解决：重启网络服务、keepalived服务，重新查看keepalived状态，正常
systemctl restart keepalived.service

可以安装nginx ，进行验证

关闭所有交换分区，重启docker、kubelet、docker容器：

swapoff -a;service docker restart;service kubelet restart;docker ps -aq|xargs docker restart

七、初始化Master集群

1、K8S集群引入Haproxy高可用集群，此时整个集群需要重新初始化，创建初始化kubeadmin-init.yaml配置文件。

#打印默认初始化配置信息至yaml文件中；

kubeadm config print init-defaults >kubeadmin-init.yaml

#将如下代码覆盖kubeadm-init.yaml文件，注意advertiseAddress、controlPlaneEndpoint的信息：

apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 172.20.26.34
bindPort: 6443
nodeRegistration:
criSocket: /var/run/dockershim.sock
name: master1
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: "172.20.26.201:8443"
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.20.4
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.10.0.0/16
scheduler: {}

再次检查关闭防火墙、交换分区
systemctl stop firewalld
systemctl disable firewalld
swapoff -a

#然后执行如下命令初始化集群即可，在172.20.26.34master1上，操作指令如下：

kubeadm init --control-plane-endpoint=172.20.26.201:8443 --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.20.4 --service-cidr=10.10.0.0/16 --pod-network-cidr=10.244.0.0/16 --upload-certs

#显示以下类似信息，表示成功：

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of the control-plane node running the following command on each as root:

kubeadm join 172.20.26.201:8443 --token 46prfc.ze6u2rqm3jazm955 \
--discovery-token-ca-cert-hash sha256:e59d020c3b99e8917c73d3291acc940562c163470f4884d61603b1371b48f131 \
--control-plane --certificate-key 5c40e73e6b3d2e0a62a9a8dd820b04f6e5bc5682c5b0ecbd50d2395ded4acb8a

Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use
"kubeadm init phase upload-certs --upload-certs" to reload certs afterward.

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 172.20.26.201:8443 --token 46prfc.ze6u2rqm3jazm955 \
--discovery-token-ca-cert-hash sha256:e59d020c3b99e8917c73d3291acc940562c163470f4884d61603b1371b48f131

#如果执行初始化时出现这个报错：[ERROR FileContent--proc-sys-net-ipv4-ip_forward]: /proc/sys/net/ipv4/ip_forward contents are not set to 1
解决：sysctl -w net.ipv4.ip_forward=1

#删除旧数据，重新初始化；

kubeadm reset
rm -rf .kube/

#k8s集群默认不让在master节点创建pod，也就是说Master Node不参与工作负载，去除Master节点污点，使其可以分配Pod资源；

kubectl taint nodes --all node-role.kubernetes.io/master-

#如果想让 Pod 也能调度到在 Master（本样例即 localhost.localdomain）上，可以执行如下命令使其作为一个工作节点：

kubectl taint node localhost.localdomain node-role.kubernetes.io/master-

#将 Master 恢复成 Master Only 状态：
如果想禁止 Master 部署 pod，则可执行如下命令：（报错可忽略）

kubectl taint node --all node-role.kubernetes.io/master="":NoSchedule

2、增加Master新节点（control-plane node）

1）如果是在需要添加为新master的服务器上执行如下指令，例如在172.20.26.36、172.20.26.38上执行；

2）根据提示，在172.20.26.36、172.20.26.38上执行如下指令即可；

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

3）自此K8S Master高可用集群构建成功，查看节点，可以看到两个master节点，同时通过VIP 172.20.26.201可以访问UI界面即可。

4）如果后期再增加master的话，需要在master1上生成新的token，打印加入K8S集群指令，操作命令如下：

kubeadm token create --print-join-command

根据生成的token信息，替换即可：
kubeadm join 172.20.26.201:8443 --token 0a3y38.qn1bvrehmkf9v4xd --discovery-token-ca-cert-hash sha256:e59d020c3b99e8917c73d3291acc940562c163470f4884d61603b1371b48f131

5）在master上生成用于新master2加入的证书，操作命令如下：

kubeadm init phase upload-certs --upload-certs
显示：
Using certificate key:
1d8ba4d09d93ee2760df4458e7d340679150d2feef6331c1eb3009f05cdf485d

6）如果是添加新的工作Node节点（worker nodes），需要执行如下指令；

kubeadm join 172.20.26.201:8443 --token 46prfc.ze6u2rqm3jazm955 \
--discovery-token-ca-cert-hash sha256:e59d020c3b99e8917c73d3291acc940562c163470f4884d61603b1371b48f131

#错误提示：
error execution phase preflight: couldn't validate the identity of the API Server: could not find a JWS signature in the cluster-info ConfigMap for token ID "0a3y38"

token 过期, 在master1上重新生成token：

kubeadm token generate

新token：vkkkxh.j9n3iyamoq9qvm1q

在node1上重新执行
kubeadm join 172.20.26.201:8443 --token vkkkxh.j9n3iyamoq9qvm1q \ --discovery-token-ca-cert-hash sha256:e59d020c3b99e8917c73d3291acc940562c163470f4884d61603b1371b48f131

#假设我们需要删除已加入集群的node1 这个节点，首先在 master 节点上依次执行以下两个命令：

kubectl drain node1 --delete-local-data --force --ignore-daemonsets
kubectl delete node node1

八、 K8S节点网络配置

Kubernetes整个集群所有服务器（Master、Minions）配置Flanneld，操作方法和指令如下：

参考：https://github.com/containernetworking/cni
必须安装pod网络插件，以便pod之间可以相互通信，必须在任何应用程序之前部署网络，CoreDNS不会在安装网络插件之前启动。

1）安装Flanneld网络插件；

Fanneld定义POD的网段为: 10.244.0.0/16，POD容器的IP地址会自动分配10.244开头的网段IP。安装Flanneld网络插件指令如下：

#下载Fanneld插件YML文件；（也可以提前下载好上传kube-flannel.yml）

yum install wget -y
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

#提前下载Flanneld组建所需镜像；

for i in $(cat kube-flannel.yml |grep image|awk -F: '{print $2":"$3}'|uniq );do docker pull $i ;done

错误提示：
Error response from daemon: Get https://quay.io/v2/: read tcp 172.20.26.86:51430->50.16.140.223:443: read: connection reset by peer

#应用YML文件；

kubectl apply -f kube-flannel.yml

#查看Flanneld网络组建是否部署成功；

kubectl -n kube-system get pods|grep -aiE flannel

Kube-flannel.yaml配置文件代码如：（如果无法下载，可以直接vim Kube-flannel.yaml创建一个文件，将下面内容粘贴保存即可）

---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: psp.flannel.unprivileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
privileged: false
volumes:
- configMap
- secret
- emptyDir
- hostPath
allowedHostPaths:
- pathPrefix: "/etc/cni/net.d"
- pathPrefix: "/etc/kube-flannel"
- pathPrefix: "/run/flannel"
readOnlyRootFilesystem: false
# Users and groups
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
fsGroup:
rule: RunAsAny
# Privilege Escalation
allowPrivilegeEscalation: false
defaultAllowPrivilegeEscalation: false
# Capabilities
allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
defaultAddCapabilities: []
requiredDropCapabilities: []
# Host namespaces
hostPID: false
hostIPC: false
hostNetwork: true
hostPorts:
- min: 0
max: 65535
# SELinux
seLinux:
# SELinux is unused in CaaSP
rule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['psp.flannel.unprivileged']
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flannel
namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
namespace: kube-system
labels:
tier: node
app: flannel
data:
cni-conf.json: |
{
"name": "cbr0",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
net-conf.json: |
{
"Network": "10.244.0.0/16",
"Backend": {
"Type": "vxlan"
}
}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds
namespace: kube-system
labels:
tier: node
app: flannel
spec:
selector:
matchLabels:
app: flannel
template:
metadata:
labels:
tier: node
app: flannel
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
hostNetwork: true
priorityClassName: system-node-critical
tolerations:
- operator: Exists
effect: NoSchedule
serviceAccountName: flannel
initContainers:
- name: install-cni
image: quay.io/coreos/flannel:v0.13.1-rc2
command:
- cp
args:
- -f
- /etc/kube-flannel/cni-conf.json
- /etc/cni/net.d/10-flannel.conflist
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: flannel-cfg
mountPath: /etc/kube-flannel/
containers:
- name: kube-flannel
image: quay.io/coreos/flannel:v0.13.1-rc2
command:
- /opt/bin/flanneld
args:
- --ip-masq
- --kube-subnet-mgr
resources:
requests:
cpu: "100m"
memory: "50Mi"
limits:
cpu: "100m"
memory: "50Mi"
securityContext:
privileged: false
capabilities:
add: ["NET_ADMIN", "NET_RAW"]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: run
mountPath: /run/flannel
- name: flannel-cfg
mountPath: /etc/kube-flannel/
volumes:
- name: run
hostPath:
path: /run/flannel
- name: cni
hostPath:
path: /etc/cni/net.d
- name: flannel-cfg
configMap:
name: kube-flannel-cfg

如果安装flannel网络插件，必须通过kubeadm init配置–pod-network-cidr=10.10.0.0/16参数。

验证网络插件

安装了pod网络后，确认coredns以及其他pod全部运行正常，查看master节点状态为Ready

kubectl get nodes
kubectl -n kube-system get pods

#如果提示以下信息：
The connection to the server localhost:8080 was refused - did you specify the right host or port?

需要添加环境变量：
echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> /etc/profile
source /etc/profile

至此，Kubernetes 的 Master 节点就部署完成了。如果只需要一个单节点的 Kubernetes，现在你就可以使用了。

九、 K8S开启IPVS模块（Master1、2、3上执行）

修改kube-proxy的configmap，在config.conf中找到mode参数，改为mode: "ipvs"然后保存：

kubectl -n kube-system get cm kube-proxy -o yaml | sed 's/mode: ""/mode: "ipvs"/g' | kubectl replace -f -

#或者手动修改

kubectl -n kube-system edit cm kube-proxy
kubectl -n kube-system get cm kube-proxy -o yaml | grep mode
mode: "ipvs"

#重启kube-proxy pod

kubectl -n kube-system delete pods -l k8s-app=kube-proxy

#确认ipvs模式开启成功

kubectl -n kube-system logs -f -l k8s-app=kube-proxy | grep ipvs

日志中打印出Using ipvs Proxier，说明ipvs模式已经开启。

十、 K8s Dashboard UI实战

Kubernetes实现的最重要的工作是对Docker容器集群统一的管理和调度，通常使用命令行来操作Kubernetes集群及各个节点，命令行操作非常不方便，如果使用UI界面来可视化操作，会更加方便的管理和维护。如下为配置kubernetes dashboard完整过程：

1、下载Dashboard配置文件；（也可以上传k8s_dashboard.yaml文件）

wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc5/aio/deploy/recommended.yaml
\cp recommended.yaml recommended.yaml.bak

将recommended.yaml改名为 k8s_dashboard.yaml

2、修改文件k8s_dashboard.yaml的39行内容，#因为默认情况下，service的类型是cluster IP，需更改为NodePort的方式，便于访问，也可映射到指定的端口。

spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 31001
selector:
k8s-app: kubernetes-dashboard

3、修改文件k8s_dashboard.yaml的195行内容，#因为默认情况下Dashboard为英文显示，可以设置为中文。

env:
- name: ACCEPT_LANGUAGE
value: zh

4、创建Dashboard服务，指令操作如下：

kubectl apply -f k8s_dashboard.yaml

5、查看Dashboard运行状态；

kubectl get pod -n kubernetes-dashboard
kubectl get svc -n kubernetes-dashboard

6、将Master节点也设置Node节点，可以运行Pod容器任务，命令如下；

kubectl taint nodes --all node-role.kubernetes.io/master-

7、基于Token的方式访问，设置和绑定Dashboard权限，命令如下；

#创建Dashboard的管理用户；

kubectl create serviceaccount dashboard-admin -n kube-system

#将创建的dashboard用户绑定为管理用户；

kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin

#获取刚刚创建的用户对应的Token名称；

kubectl get secrets -n kube-system | grep dashboard

#查看Token的详细信息;

kubectl describe secrets -n kube-system $(kubectl get secrets -n kube-system | grep dashboard |awk '{print $1}')

8、通过浏览器访问Dashboard WEB，https://172.20.26.201:31001/，如图所示，输入Token登录即可。

#kubernetes-dashboard修改默认token认证过期时间

modify token-ttl#

默认900s/15分钟后认证token回话失效，需要重新登录认证，修改12h,方便使用
在线修改：
在命名空间里选择kubernetes-dashboard ，点击deployment中kubernetes-dashboard 后面的三个点，选择编辑，大概在YAML 下187行左右添加token-ttl=43200（43200为12小时）

- '--token-ttl=43200'

例如：
containers:
- name: kubernetes-dashboard
image: 'kubernetesui/dashboard:v2.0.0-rc5'
args:
- '--auto-generate-certificates'
- '--namespace=kubernetes-dashboard'
- '--token-ttl=43200'

命令行修改：

kubectl edit deployment kubernetes-dashboard -n kubernetes-dashboard

containers:
- args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
修改新增 --token-ttl=43200

containers:
- args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
- --token-ttl=43200

K8S/Kubernetes

K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容

更多推荐

【深度】阿里巴巴万级规模 K8s 集群全局高可用体系之美

作者 | 韩堂、柘远、沉醉来源 | 阿里巴巴云原生公众号前言台湾作家林清玄在接受记者采访的时候，如此评价自己 30 多年写作生涯：“第一个十年我才华横溢，‘贼光闪现’，令周边黯然失色；第二个十年，我终于‘宝光现形’，不再去抢风头，反而与身边的美丽相得益彰；进入第三个十年，繁华落尽见真醇，我进入了‘醇光初现’的阶段，真正体味到了境界之美”。长夜有穷，真水无香。领略过了 K8s“身在江

K8S/Kubernetes

如何基于 K8s 构建下一代 DevOps 平台？

作者 | 孙健波（天元）导读：当前云原生 DevOps 体系现状如何？面临哪些挑战？如何通过 OAM 解决云原生 DevOps 场景下的诸多问题？云原生开发应用模型 OAM(Open Application Model) 社区核心成员孙健波将为大家一一解答，并分享如何基于 OAM 和 Kubernetes 打造无限能力的下一代 DevOps 平台。什么是 DevOps？为什么基于 Kub