Kubeadm 部署高可用 Kubernetes 集羣
目錄[-]
一、kuberadm 簡介
1、Kuberadm 作用
2、Kuberadm 功能
3、功能版本
二、前期準備
1、虛擬機分配說明
2、各個節點端口占用
3、基礎環境設置
三、安裝Keepalived
1、yum安裝Keepalived
2、配置Keepalived
3、啓動Keepalived
4、查看網絡狀態
四、安裝haproxy
1、yum安裝haproxy
2、配置haproxy
3、啓動並檢測haproxy
4、檢測haproxy端口
五、安裝Docker (所有節點)
1、移除之前安裝過的Docker
2、配置docker的yum源
3、安裝Docker
六、安裝kubeadm、kubelet
1、配置可用的國內yum源用於安裝:
2、安裝kubelet
3、安裝kubeadm
4、重啓服務器
七、初始化第一個kubernetes master節點
1、創建kubeadm配置的yaml文件
2、初始化第一個master節點
3、配置kubectl環境變量
4、查看組件狀態
八、安裝網絡插件
1、配置flannel插件的yaml文件
2、創建flanner相關role和pod
九、加入集羣
1、Master加入集羣構成高可用
2、node節點加入集羣
3、如果忘記加入集羣的token和sha256 (如正常則跳過)
4、查看各個節點加入集羣情況
十、從集羣中刪除 Node
十一、配置dashboard
1、創建 dashboard.yaml 並啓動
2、Dashboard 創建 ServiceAccount 並綁定 Admin 角色
3、運行dashboard並登陸
問題
1、Master不會參與負載工作
2、重新加入集羣
環境介紹:
CentOS: 7.6
Docker: 18.06.1-ce
Kubernetes: 1.13.4
Kuberadm: 1.13.4
Kuberlet: 1.13.4
Kuberctl: 1.13.4
部署介紹:
創建高可用首先先有一個 Master 節點,然後再讓其他服務器加入組成三個 Master 節點高可用,然後再講工作節點 Node 加入。下面將描述每個節點要執行的步驟:
Master01: 二、三、四、五、六、七、八、九、十一
Master02、Master03: 二、三、五、六、四、九
node01、node02: 二、五、六、九
集羣架構:
一、kuberadm 簡介
Kuberadm 作用
Kubeadm 是一個工具,它提供了 kubeadm init 以及 kubeadm join 這兩個命令作爲快速創建 kubernetes 集羣的最佳實踐。
kubeadm 通過執行必要的操作來啓動和運行一個最小可用的集羣。它被故意設計爲只關心啓動集羣,而不是之前的節點準備工作。同樣的,諸如安裝各種各樣值得擁有的插件,例如 Kubernetes Dashboard、監控解決方案以及特定雲提供商的插件,這些都不在它負責的範圍。
相反,我們期望由一個基於 kubeadm 從更高層設計的更加合適的工具來做這些事情;並且,理想情況下,使用 kubeadm 作爲所有部署的基礎將會使得創建一個符合期望的集羣變得容易。
Kuberadm 功能
kubeadm init: 啓動一個 Kubernetes 主節點
kubeadm join: 啓動一個 Kubernetes 工作節點並且將其加入到集羣
kubeadm upgrade: 更新一個 Kubernetes 集羣到新版本
kubeadm config: 如果使用 v1.7.x 或者更低版本的 kubeadm 初始化集羣,您需要對集羣做一些配置以便使用 kubeadm upgrade 命令
kubeadm token: 管理 kubeadm join 使用的令牌
kubeadm reset: 還原 kubeadm init 或者 kubeadm join 對主機所做的任何更改
kubeadm version: 打印 kubeadm 版本
kubeadm alpha: 預覽一組可用的新功能以便從社區蒐集反饋
功能版本
| Area | Maturity Level |
|---|---|
| Command line UX | GA |
| Implementation | GA |
| Config file API | beta |
| CoreDNS | GA |
| kubeadm alpha subcommands | alpha |
| High availability | alpha |
| DynamicKubeletConfig | alpha |
| Self-hosting | alpha |
二、前期準備
1、虛擬機分配說明
| 地址 | 主機名 | 內存&CPU | 角色 |
|---|---|---|---|
| 192.168.2.10 | — | — | vip |
| 192.168.2.11 | k8s-master-01 | 2C & 2G | master |
| 192.168.2.12 | k8s-master-02 | 2C & 2G | master |
| 192.168.2.13 | k8s-master-03 | 2C & 2G | master |
| 192.168.2.21 | k8s-node-01 | 2c & 4G | node |
| 192.168.2.22 | k8s-node-02 | 2c & 4G | node |
2、各個節點端口占用
Master 節點
| 規則 | 方向 | 端口範圍 | 作用 | 使用者 |
|---|---|---|---|---|
| TCP | Inbound | 6443* | Kubernetes API | server All |
| TCP | Inbound | 2379-2380 | etcd server | client API kube-apiserver, etcd |
| TCP | Inbound | 10250 | Kubelet API | Self, Control plane |
| TCP | Inbound | 10251 | kube-scheduler | Self |
| TCP | Inbound | 10252 | kube-controller-manager | Sel |
node 節點
| 規則 | 方向 | 端口範圍 | 作用 | 使用者 |
|---|---|---|---|---|
| TCP | Inbound | 10250 | Kubelet API | Self, Control plane |
| TCP | Inbound | 30000-32767 | NodePort Services** | All |
3、基礎環境設置
Kubernetes 需要一定的環境來保證正常運行,如各個節點時間同步,主機名稱解析,關閉防火牆等等。
主機名稱解析
分佈式系統環境中的多主機通信通常基於主機名稱進行,這在 IP 地址存在變化的可能 性時爲主機提供了固定的訪問人口,因此一般需要有專用的 DNS 服務負責解決各節點主機 不過,考慮到此處部署的是測試集羣,因此爲了降低系複雜度,這裏將基於 hosts 的文件進行主機名稱解析。
修改hosts
分別進入不同服務器,進入 /etc/hosts 進行編輯
vim /etc/hosts
加入下面內容:
192.168.2.10 master.k8s.io k8s-vip
192.168.2.11 master01.k8s.io k8s-master-01
192.168.2.12 master02.k8s.io k8s-master-02
192.168.2.13 master03.k8s.io k8s-master-03
192.168.2.21 node01.k8s.io k8s-node-01
192.168.2.22 node02.k8s.io k8s-node-02
修改hostname
分別進入不同的服務器修改 hostname 名稱
# 修改 192.168.2.11 服務器
hostnamectl set-hostname k8s-master-01
# 修改 192.168.2.12 服務器
hostnamectl set-hostname k8s-master-02
# 修改 192.168.2.13 服務器
hostnamectl set-hostname k8s-master-03
# 修改 192.168.2.21 服務器
hostnamectl set-hostname k8s-node-01
# 修改 192.168.2.22 服務器
hostnamectl set-hostname k8s-node-02
主機時間同步
將各個服務器的時間同步,並設置開機啓動同步時間服務
systemctl start chronyd.service
systemctl enable chronyd.service
關閉防火牆服務
停止並禁用防火牆
systemctl stop firewalld
systemctl disable firewalld
關閉並禁用SELinux
# 若當前啓用了 SELinux 則需要臨時設置其當前狀態爲 permissive
setenforce 0
# 編輯/etc/sysconfig selinux 文件,以徹底禁用 SELinux
sed -i 's/^SELINUX=enforcing$/SELINUX=disabled/' /etc/selinux/config
# 查看selinux狀態
getenforce
如果爲permissive,則執行reboot重新啓動即可
禁用 Swap 設備
kubeadm 默認會預先檢當前主機是否禁用了 Swap 設備,並在未用時強制止部署 過程因此,在主機內存資驚充裕的條件下,需要禁用所有的 Swap 設備
# 關閉當前已啓用的所有 Swap 設備
swapoff -a && sysctl -w vm.swappiness=0
# 編輯 fstab 配置文件,註釋掉標識爲 Swap 設備的所有行
vi /etc/fstab
設置系統參數
設置允許路由轉發,不對bridge的數據進行處理
創建 /etc/sysctl.d/k8s.conf 文件
vim /etc/sysctl.d/k8s.conf
加入下面內容:
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
掛載br_netfilter
modprobe br_netfilter
生效配置文件
sysctl -p /etc/sysctl.d/k8s.conf
sysctl命令:用於運行時配置內核參數
查看是否生成相關文件
ls /proc/sys/net/bridge
資源配置文件
/etc/security/limits.conf 是 Linux 資源使用配置文件,用來限制用戶對系統資源的使用
echo "* soft nofile 65536" >> /etc/security/limits.conf
echo "* hard nofile 65536" >> /etc/security/limits.conf
echo "* soft nproc 65536" >> /etc/security/limits.conf
echo "* hard nproc 65536" >> /etc/security/limits.conf
echo "* soft memlock unlimited" >> /etc/security/limits.conf
echo "* hard memlock unlimited" >> /etc/security/limits.conf
安裝依賴包以及相關工具
yum install -y epel-release
yum install -y yum-utils device-mapper-persistent-data lvm2 net-tools conntrack-tools wget vim ntpdate libseccomp libtool-ltdl
三、安裝Keepalived
keepalived介紹: 是集羣管理中保證集羣高可用的一個服務軟件,其功能類似於heartbeat,用來防止單點故障
Keepalived作用: 爲haproxy提供vip(192.168.2.10)在三個haproxy實例之間提供主備,降低當其中一個haproxy失效的時對服務的影響。
1、yum安裝Keepalived
# 安裝keepalived
yum install -y keepalived
2、配置Keepalived
cat <<EOF > /etc/keepalived/keepalived.conf
! Configuration File for keepalived
# 主要是配置故障發生時的通知對象以及機器標識。
global_defs {
# 標識本節點的字條串,通常爲 hostname,但不一定非得是 hostname。故障發生時,郵件通知會用到。
router_id LVS_k8s
}
# 用來做健康檢查的,當時檢查失敗時會將 vrrp_instance 的 priority 減少相應的值。
vrrp_script check_haproxy {
script "killall -0 haproxy" #根據進程名稱檢測進程是否存活
interval 3
weight -2
fall 10
rise 2
}
# rp_instance用來定義對外提供服務的 VIP 區域及其相關屬性。
vrrp_instance VI_1 {
state MASTER #當前節點爲MASTER,其他兩個節點設置爲BACKUP
interface ens33 #改爲自己的網卡
virtual_router_id 51
priority 250
advert_int 1
authentication {
auth_type PASS
auth_pass 35f18af7190d51c9f7f78f37300a0cbd
}
virtual_ipaddress {
192.168.2.10 #虛擬ip,即VIP
}
track_script {
check_haproxy
}
}
EOF
當前節點的配置中 state 配置爲 MASTER,其它兩個節點設置爲 BACKUP
配置說明:
virtual_ipaddress: vip
track_script: 執行上面定義好的檢測的script
interface: 節點固有IP(非VIP)的網卡,用來發VRRP包。
virtual_router_id: 取值在0-255之間,用來區分多個instance的VRRP組播
advert_int: 發VRRP包的時間間隔,即多久進行一次master選舉(可以認爲是健康查檢時間間隔)。
authentication: 認證區域,認證類型有PASS和HA(IPSEC),推薦使用PASS(密碼只識別前8位)。
state: 可以是MASTER或BACKUP,不過當其他節點keepalived啓動時會將priority比較大的節點選舉爲MASTER,因此該項其實沒有實質用途。
priority: 用來選舉master的,要成爲master,那麼這個選項的值最好高於其他機器50個點,該項取值範圍是1-255(在此範圍之外會被識別成默認值100)。
3、啓動Keepalived
# 設置開機啓動
systemctl enable keepalived
# 啓動keepalived
systemctl start keepalived
# 查看啓動狀態
systemctl status keepalived
4、查看網絡狀態
kepplived 配置中 state 爲 MASTER 的節點啓動後,查看網絡狀態,可以看到虛擬IP已經加入到綁定的網卡中
ip address show ens33
當關掉當前節點的keeplived服務後將進行虛擬IP轉移,將會推選state 爲 BACKUP 的節點的某一節點爲新的MASTER,可以在那臺節點上查看網卡,將會查看到虛擬IP
四、安裝haproxy
此處的haproxy爲apiserver提供反向代理,haproxy將所有請求輪詢轉發到每個master節點上。相對於僅僅使用keepalived主備模式僅單個master節點承載流量,這種方式更加合理、健壯。
1、yum安裝haproxy
yum install -y haproxy
2、配置haproxy
cat > /etc/haproxy/haproxy.cfg << EOF
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
# kubernetes apiserver frontend which proxys to the backends
#---------------------------------------------------------------------
frontend kubernetes-apiserver
mode tcp
bind *:16443
option tcplog
default_backend kubernetes-apiserver
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend kubernetes-apiserver
mode tcp
balance roundrobin
server master01.k8s.io 192.168.2.11:6443 check
server master02.k8s.io 192.168.2.12:6443 check
server master03.k8s.io 192.168.2.13:6443 check
#---------------------------------------------------------------------
# collection haproxy statistics message
#---------------------------------------------------------------------
listen stats
bind *:1080
stats auth admin:awesomePassword
stats refresh 5s
stats realm HAProxy\ Statistics
stats uri /admin?stats
EOF
haproxy配置在其他master節點上(192.168.2.12和192.168.2.13)相同
3、啓動並檢測haproxy
# 設置開機啓動
systemctl enable haproxy
# 開啓haproxy
systemctl start haproxy
# 查看啓動狀態
systemctl status haproxy
4、檢測haproxy端口
ss -lnt | grep -E "16443|1080"
顯示:
五、安裝Docker (所有節點)
1、移除之前安裝過的Docker
sudo yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine-selinux \
docker-ce-cli \
docker-engine
查看還有沒有存在的docker組件
rpm -qa|grep docker
有則通過命令 yum -y remove XXX 來刪除,比如:
yum remove docker-ce-cli
2、配置docker的yum源
下面兩個鏡像源選擇其一即可,由於官方下載速度比較慢,推薦用阿里鏡像源
阿里鏡像源
sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
Docker官方鏡像源
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
2、安裝Docker:
顯示docker-ce所有可安裝版本:
yum list docker-ce --showduplicates | sort -r
安裝指定docker版本
sudo yum install docker-ce-18.06.1.ce-3.el7 -y
設置鏡像存儲目錄
找到大點的掛載的目錄進行存儲
# 修改docker配置
vi /lib/systemd/system/docker.service
找到這行,王后面加上存儲目錄,例如這裏是 --graph /apps/docker
ExecStart=/usr/bin/docker --graph /apps/docker
啓動docker並設置docker開機啓動
systemctl enable docker
systemctl start docker
確認一下iptables
確認一下iptables filter表中FOWARD鏈的默認策略(pllicy)爲ACCEPT。
iptables -nvL
顯示:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Docker從1.13版本開始調整了默認的防火牆規則,禁用了iptables filter表中FOWARD鏈,這樣會引起Kubernetes集羣中跨Node的Pod無法通信。但這裏通過安裝docker 1806,發現默認策略又改回了ACCEPT,這個不知道是從哪個版本改回的,因爲我們線上版本使用的1706還是需要手動調整這個策略的。
六、安裝kubeadm、kubelet
1、配置可用的國內yum源用於安裝:
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
2、安裝kubelet
需要在每臺機器上都安裝以下的軟件包:
kubeadm: 用來初始化集羣的指令。
kubelet: 在集羣中的每個節點上用來啓動 pod 和 container 等。
kubectl: 用來與集羣通信的命令行工具。
查看kubelet版本列表
yum list kubelet --showduplicates | sort -r
安裝kubelet
yum install -y kubelet-1.13.4-0
啓動kubelet並設置開機啓動
systemctl enable kubelet
systemctl start kubelet
檢查狀態
檢查狀態,發現是failed狀態,正常,kubelet會10秒重啓一次,等初始化master節點後即可正常
systemctl status kubelet
3、安裝kubeadm
負責初始化集羣
查看kubeadm版本列表
yum list kubeadm --showduplicates | sort -r
安裝kubeadm
yum install -y kubeadm-1.13.4-0
安裝 kubeadm 時候會默認安裝 kubectl ,所以不需要單獨安裝kubectl
4、重啓服務器
爲了防止發生某些未知錯誤,這裏我們重啓下服務器,方便進行後續操作
reboot
七、初始化第一個kubernetes master節點
因爲需要綁定虛擬IP,所以需要首先先查看虛擬IP啓動這幾臺master機子哪臺上
ip address show ens33
顯示:
ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:7e:65:b3 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.11/24 brd 192.168.2.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.2.10/32 scope global ens33
valid_lft forever preferred_lft forever
可以看到 10虛擬ip 和 11的ip 在一臺機子上,所以初始化kubernetes第一個master要在master01機子上進行安裝
1、創建kubeadm配置的yaml文件
cat > kubeadm-config.yaml << EOF
apiServer:
certSANs:
- k8s-master-01
- k8s-master-02
- k8s-master-03
- master.k8s.io
- 192.168.2.10
- 192.168.2.11
- 192.168.2.12
- 192.168.2.13
- 127.0.0.1
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta1
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: "master.k8s.io:16443"
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.13.4
networking:
dnsDomain: cluster.local
podSubnet: 10.20.0.0/16
serviceSubnet: 10.10.0.0/16
scheduler: {}
EOF
以下兩個地方設置:- certSANs: 虛擬ip地址(爲了安全起見,把所有集羣地址都加上) - controlPlaneEndpoint: 虛擬IP:監控端口號
配置說明:
imageRepository: registry.aliyuncs.com/google_containers (使用阿里雲鏡像倉庫)
podSubnet: 10.20.0.0/16 (pod地址池)
serviceSubnet: 10.10.0.0/16
#service地址池
2、初始化第一個master節點
kubeadm init --config kubeadm-config.yaml
日誌:
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join master.k8s.io:16443 --token dm3cw1.kw4hq84ie1376hji --discovery-token-ca-cert-hash sha256:f079b624773145ba714b56e177f52143f90f75a1dcebabda6538a49e224d4009
在此處看日誌可以知道,通過
kubeadm join master.k8s.io:16443 --token dm3cw1.kw4hq84ie1376hji --discovery-token-ca-cert-hash sha256:f079b624773145ba714b56e177f52143f90f75a1dcebabda6538a49e224d4009
來讓節點加入集羣
3、配置kubectl環境變量
配置環境變量
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
4、查看組件狀態
kubectl get cs
顯示:
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-0 Healthy {"health": "true"}
查看pod狀態
kubectl get pods --namespace=kube-system
顯示:
可以看到coredns沒有啓動,這是由於還沒有配置網絡插件,接下來配置下後再重新查看啓動狀態
八、安裝網絡插件
1、配置flannel插件的yaml文件
cat > kube-flannel.yaml << EOF
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: flannel
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flannel
namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
namespace: kube-system
labels:
tier: node
app: flannel
data:
cni-conf.json: |
{
"name": "cbr0",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
net-conf.json: |
{
"Network": "10.20.0.0/16",
"Backend": {
"Type": "vxlan"
}
}
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: kube-flannel-ds-amd64
namespace: kube-system
labels:
tier: node
app: flannel
spec:
template:
metadata:
labels:
tier: node
app: flannel
spec:
hostNetwork: true
nodeSelector:
beta.kubernetes.io/arch: amd64
tolerations:
- operator: Exists
effect: NoSchedule
serviceAccountName: flannel
initContainers:
- name: install-cni
image: registry.cn-shenzhen.aliyuncs.com/cp_m/flannel:v0.10.0-amd64
command:
- cp
args:
- -f
- /etc/kube-flannel/cni-conf.json
- /etc/cni/net.d/10-flannel.conflist
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: flannel-cfg
mountPath: /etc/kube-flannel/
containers:
- name: kube-flannel
image: registry.cn-shenzhen.aliyuncs.com/cp_m/flannel:v0.10.0-amd64
command:
- /opt/bin/flanneld
args:
- --ip-masq
- --kube-subnet-mgr
resources:
requests:
cpu: "100m"
memory: "50Mi"
limits:
cpu: "100m"
memory: "50Mi"
securityContext:
privileged: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: run
mountPath: /run
- name: flannel-cfg
mountPath: /etc/kube-flannel/
volumes:
- name: run
hostPath:
path: /run
- name: cni
hostPath:
path: /etc/cni/net.d
- name: flannel-cfg
configMap:
name: kube-flannel-cfg
EOF
“Network”: “10.20.0.0/16”要和kubeadm-config.yaml配置文件中podSubnet: 10.20.0.0/16相同
2、創建flanner相關role和pod
kubectl apply -f kube-flannel.yaml
等待一會時間,再次查看各個pods的狀態
kubectl get pods --namespace=kube-system
顯示:
可以看到coredns已經啓動
九、加入集羣
1、Master加入集羣構成高可用
複製祕鑰到各個節點
在master01 服務器上執行下面命令,將kubernetes相關文件複製到 master02、master03
如果其他節點爲初始化第一個master節點,則將該節點的配置文件複製到其餘兩個主節點,例如master03爲第一個master節點,則將它的k8s配置複製到master02和master01。
複製文件到 master02
ssh [email protected] mkdir -p /etc/kubernetes/pki/etcd
scp /etc/kubernetes/admin.conf [email protected]:/etc/kubernetes
scp /etc/kubernetes/pki/{ca.*,sa.*,front-proxy-ca.*} [email protected]:/etc/kubernetes/pki
scp /etc/kubernetes/pki/etcd/ca.* [email protected]:/etc/kubernetes/pki/etcd
複製文件到 master03
ssh [email protected] mkdir -p /etc/kubernetes/pki/etcd
scp /etc/kubernetes/admin.conf [email protected]:/etc/kubernetes
scp /etc/kubernetes/pki/{ca.*,sa.*,front-proxy-ca.*} [email protected]:/etc/kubernetes/pki
scp /etc/kubernetes/pki/etcd/ca.* [email protected]:/etc/kubernetes/pki/etcd
master節點加入集羣
master02 和 master03 服務器上都執行加入集羣操作
kubeadm join master.k8s.io:16443 --token dm3cw1.kw4hq84ie1376hji --discovery-token-ca-cert-hash sha256:f079b624773145ba714b56e177f52143f90f75a1dcebabda6538a49e224d4009 --experimental-control-plane
如果加入失敗想重新嘗試,請輸入 kubeadm reset 命令清除之前的設置,重新執行從“複製祕鑰”和“加入集羣”這兩步
顯示安裝過程:
......
This node has joined the cluster and a new control plane instance was created:
* Certificate signing request was sent to apiserver and approval was received.
* The Kubelet was informed of the new secure connection details.
* Master label and taint were applied to the new node.
* The Kubernetes control plane instances scaled up.
* A new etcd member was added to the local/stacked etcd cluster.
To start administering your cluster from this node, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Run 'kubectl get nodes' to see this node join the cluster.
配置kubectl環境變量
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
2、node節點加入集羣
除了讓master節點加入集羣組成高可用外,slave節點也要加入集羣中。
這裏將k8s-node-01、k8s-node-02加入集羣,進行工作
輸入初始化k8s master時候提示的加入命令,如下:
kubeadm join master.k8s.io:16443 --token dm3cw1.kw4hq84ie1376hji --discovery-token-ca-cert-hash sha256:f079b624773145ba714b56e177f52143f90f75a1dcebabda6538a49e224d4009
3、如果忘記加入集羣的token和sha256 (如正常則跳過)
顯示獲取token列表
kubeadm token list
默認情況下 Token 過期是時間是24小時,如果 Token 過期以後,可以輸入以下命令,生成新的 Token
kubeadm token create
獲取ca證書sha256編碼hash值
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
拼接命令
kubeadm join master.k8s.io:16443 --token 882ik4.9ib2kb0eftvuhb58 --discovery-token-ca-cert-hash sha256:0b1a836894d930c8558b350feeac8210c85c9d35b6d91fde202b870f3244016a
如果是master加入,請在最後面加上 –experimental-control-plane 這個參數
4、查看各個節點加入集羣情況
kubectl get nodes -o wide
顯示:
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8s-master-01 Ready master 12m v1.13.4 192.168.2.11 <none> CentOS Linux 7 (Core) 3.10.0-957.1.3.el7.x86_64 docker://18.6.1
k8s-master-02 Ready master 10m v1.13.4 192.168.2.12 <none> CentOS Linux 7 (Core) 3.10.0-957.1.3.el7.x86_64 docker://18.6.1
k8s-master-03 Ready master 38m v1.13.4 192.168.2.13 <none> CentOS Linux 7 (Core) 3.10.0-957.1.3.el7.x86_64 docker://18.6.1
k8s-node-01 Ready <none> 68s v1.13.4 192.168.2.21 <none> CentOS Linux 7 (Core) 3.10.0-957.1.3.el7.x86_64 docker://18.6.1
k8s-node-02 Ready <none> 61s v1.13.4 192.168.2.22 <none> CentOS Linux 7 (Core) 3.10.0-957.1.3.el7.x86_64 docker://18.6.1
十、從集羣中刪除 Node
Master節點:
kubectl drain <node name> --delete-local-data --force --ignore-daemonsets
kubectl delete node <node name>
slave節點
kubeadm reset
十一、配置dashboard
這個在一個服務器上部署,其他服務器會複製這個部署的pod,所以這裏在master01服務器上部署 dashboard
1、創建 dashboard.yaml 並啓動
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Deployment ------------------- #
# 1.修改了鏡像倉庫位置,編輯成自己的鏡像倉庫
# 2.變更了鏡像拉去策略imagePullPolicy: IfNotPresent
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
# 增加了nodePort,使得能夠訪問,改變默認的type類型ClusterIP,變爲NodePort
# 如果不配置的話默認只能集羣內訪問
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard
運行 dashboard
kubectl create -f kubernetes-dashboard.yaml
2、Dashboard 創建 ServiceAccount 並綁定 Admin 角色
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: admin
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
運行dashboard的用戶和角色綁定
kubectl create -f dashboard-user-role.yaml
獲取登陸token
kubectl describe secret/$(kubectl get secret -n kube-system |grep admin|awk '{print $1}') -n kube-system
顯示:
[root@k8s-master-01 local]# kubectl describe secret/$(kubectl get secret -nkube-system |grep admin|awk '{print $1}') -nkube-system
Name: admin-token-2mfdz
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin
kubernetes.io/service-account.uid: 74efd994-38d8-11e9-8740-000c299624e4
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token:
eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbi1qdjd4ayIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImM4ZTMxYzk0LTQ2MWEtMTFlOS1iY2M5LTAwMGMyOTEzYzUxZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.TNw1iFEsZmJsVG4cki8iLtEoiY1pjpnOYm8ZIFjctpBdTOw6kUMvv2b2B2BJ_5rFle31gqGAZBIRyYj9LPAs06qT5uVP_l9o7IyFX4HToBF3veiun4e71822eQRUsgqiPh5uSjKXEkf9yGq9ujiCdtzFxnp3Pnpeuge73syuwd7J6F0-dJAp3b48MLZ1JJwEo6CTCMhm9buysycUYTbT_mUDQMNrHVH0868CdN_H8azA4PdLLLrFfTiVgoGu4c3sG5rgh9kKFqZA6dzV0Kq10W5JJwJRM1808ybLHyV9jfKN8N2_lZ7ehE6PbPU0cV-PyP74iA-HrzFW1yVwSLPVYA
3、運行dashboard並登陸
輸入地址:https://192.168.2.10:30001 進入 dashboard 界面
這裏輸入上面獲取的 token 進入 dashboard
問題
1、Master不會參與負載工作
Master不會參與負載工作,如何讓其參加,這裏需要了解traint
查看traint
# 查看全部節點是否能被安排工作
kubectl describe nodes | grep -E '(Roles|Taints)'
刪除traint
# 所有node都可以調度
kubectl taint nodes --all node-role.kubernetes.io/master-
# 指定node可以調度
kubectl taint nodes k8s-master-01 node-role.kubernetes.io/master-
2、重新加入集羣
有時候節點出現問題需要重新加入集羣,加入前需要清除一些設置,不然可能出現某些錯誤,比如
network is not ready: [runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized]
Back-off restarting failed container
按下面步驟執行,再執行加入集羣命令即可
#重置kubernetes服務,重置網絡。刪除網絡配置,link
kubeadm reset
#重啓kubelet
systemctl stop kubelet
#停止docker
systemctl stop docker
#重置cni
rm -rf /var/lib/cni/
rm -rf /var/lib/kubelet/*
rm -rf /etc/cni/
ifconfig cni0 down
ifconfig flannel.1 down
ifconfig docker0 down
ip link delete cni0
ip link delete flannel.1
#重啓docker
systemctl start docker
再次加入集羣
kubeadm join cluster.kube.com:16443 --token gaeyou.k2650x660c8eb98c --discovery-token-ca-cert-hash sha256:daf4c2e0264422baa7076a2587f9224a5bd9c5667307927b0238743799dfb362