要說國內(nèi)安裝K8S最大的問題俘闯，可能就是gcr的鏡像問題盒音，因為眾所周知的一些原因侥袜，我們在安裝K8S的時候舱权，需要提前準備相應的gcr鏡像, 否則安裝過程無法進行下去. 好在包括aliyun在內(nèi)的很多網(wǎng)站提供了gcr的鏡像募胃，我們可以從這些網(wǎng)站pull鏡像到本地后旗唁，再tag一下

1. 首先安裝CRI

這里使用Docker作為runtime, 安裝過程不再詳述，ubuntu和centos可參考官方文檔

或者使用腳本方式快速安裝 :

curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun

2. 準備gcr鏡像

這里我們使用aliyun的鏡像痹束，并使用load.sh腳本來讀取images.list來pull并tag:

images.list:

kube-scheduler:v1.12.1 k8s.gcr.io/kube-scheduler:v1.12.1
kube-apiserver:v1.12.1 k8s.gcr.io/kube-apiserver:v1.12.1
etcd:3.2.24 k8s.gcr.io/etcd:3.2.24
kube-controller-manager:v1.12.1 k8s.gcr.io/kube-controller-manager:v1.12.1
coredns:1.2.2 k8s.gcr.io/coredns:1.2.2
kube-proxy:v1.12.1 k8s.gcr.io/kube-proxy:v1.12.1
pause:3.1 k8s.gcr.io/pause:3.1
kubernetes-dashboard-amd64:v1.10.0 k8s.gcr.io/kubernetes-dashboard-amd64:v1.12.1
tiller:v2.11.0 gcr.io/kubernetes-helm/tiller:v2.11.0

load.sh:

#/bin/bash

while read line
do
  echo $line
  arr=($line)
  src_image=registry.cn-hangzhou.aliyuncs.com/google_containers/${arr[0]}
  target_image=${arr[1]}
  docker pull $src_image
  docker tag $src_image $target_image
  docker rmi $src_image
done < "images.list"

在master節(jié)點和worker節(jié)點執(zhí)行l(wèi)oad.sh以后, docker images 應該包含如下類似內(nèi)容

k8s.gcr.io/kube-proxy                           v1.12.1                61afff57f010        5 weeks ago         96.6MB
k8s.gcr.io/kube-scheduler                    v1.12.1                d773ad20fd80        5 weeks ago         58.3MB
k8s.gcr.io/kube-controller-manager      v1.12.1                aa2dd57c7329        5 weeks ago         164MB
k8s.gcr.io/kube-apiserver                     v1.12.1                dcb029b5e3ad        5 weeks ago         194MB
gcr.io/kubernetes-helm/tiller                 v2.11.0                ac5f7ee9ae7e        6 weeks ago         71.8MB
k8s.gcr.io/etcd                                      3.2.24                 3cab8e1b9802        7 weeks ago         220MB
k8s.gcr.io/coredns                                1.2.2                   367cdc8433a4        2 months ago        39.2MB
k8s.gcr.io/kubernetes-dashboard-amd64   v1.12.1         0dab2435c100        2 months ago        122MB
k8s.gcr.io/pause                                    3.1                     da86e6ba6ca1        10 months ago       742k

apiserver, scheduler等可以不用在worker節(jié)點pull, 另外如果對應其它K8S版本kubeadm, 那么可以使用對應版本的kubeadm

kubeadm config images list

來查看具體需要的鏡像版本（這個命令需要連googleapi服務器检疫，連不上可以多試幾次)

至此，gcr的鏡像我們已經(jīng)準備完畢祷嘶，其它鏡像因為不是gcr的屎媳，無需翻.... 所以可以在安裝過程中下載, 當然你也可以提前準備好.

3. 安裝工具

到這一步，我們需要在master和worker節(jié)點上安裝kubeadm, kubelet, kubectl 3個工具, 這里我們同樣使用aliyun的鏡像作為apt的source

curl -s https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add -
echo "deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list
apt update
apt install -V kubeadm=1.12.1-00 kubectl=1.12.1-00 kubelet=1.12.1-00  
apt-mark hold kubelet kubeadm kubectl

注意后面的apt-mark是必要的论巍，否則在apt更新的時候烛谊，以上3個工具會更新, 導致版本不一致, 成功后執(zhí)行kubeadm version確認版本

安裝 kubernetes-cni:

apt-cache  madison kubernetes-cni
kubernetes-cni |   0.7.5-00 | https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial/main amd64 Packages
kubernetes-cni |   0.6.0-00 | https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial/main amd64 Packages
kubernetes-cni |   0.5.1-00 | https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial/main amd64 Packages
kubernetes-cni | 0.3.0.1-07a8a2-00 | https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial/main amd64 Packages

apt-get install kubernetes-cni=0.6.0-00

4. Master初始化

在master節(jié)點, 執(zhí)行如下命令

kubeadm init --pod-network-cidr=10.244.0.0/16

因為下文我們使用的CNI是flannel網(wǎng)絡，所以參數(shù) --pod-network-cidr 使用 10.244.0.0/16, 其它CNI需要使用對應的參數(shù)嘉汰，成功執(zhí)行后丹禀，記錄下最后一行的提示, 類似形式:

kubeadm join --token <token> <master-ip>:<master-port> --discovery-token-ca-cert-hash sha256:<hash>

這行命令是worker加入節(jié)點時使用的，如果忘記了鞋怀，或者之后過期了也沒關(guān)系(token 24小時有效), 可以通過

kubeadm token list

找回token双泪，或者創(chuàng)建一個新的token

kubeadm token create

hashing值可以通過在master執(zhí)行以下命令獲取

openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | \
   openssl dgst -sha256 -hex | sed 's/^.* //'

如果kubeadm init執(zhí)行失敗，或者參數(shù)有誤密似，那么可以通過kubeadm reset重置后(reset后最好重啟下系統(tǒng)), 再重新init, 錯誤原因需要根據(jù)具體提示信息查找.

下面, 我們設置環(huán)境變量, 在用戶目錄下打開 .bashrc文件焙矛， 在最后添加以下3行

export KUBECONFIG=/etc/kubernetes/admin.conf
alias kc=kubectl
source <(kubectl completion bash | sed s/kubectl/kc/g)

保存文件后退出，并執(zhí)行

source .bashrc

這些腳本的目的是設置KUBECONFIG變量指向admin.conf文件残腌，讓kubectl讀取該配置y以訪問apiserver, 同時設置kubectl的別名為kc, 并設置bash completion村斟，即自動拼寫完成. 成功后剪返，你可以通過以下命令來查看pod的運行狀況:

kc get pod --all-namespace -o wide

5. 安裝flannel網(wǎng)絡插件

下面我們apply cni網(wǎng)絡，如前所述邓梅，這里使用flannel網(wǎng)絡, 首先執(zhí)行

sysctl net.bridge.bridge-nf-call-iptables=1

作用是傳遞橋接的IPv4流量到iptables chains, 然后執(zhí)行以下命令應用cni網(wǎng)絡

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/bc79dd1505b0c8681ece4de4c0d86c5cd2643275/Documentation/kube-flannel.yml

6. 安裝kubernetes-dashboard

下載kubernetes-dashboard.yaml

# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# ------------------- Dashboard Secret ------------------- #

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1beta2
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.12.1
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30001
  selector:
    k8s-app: kubernetes-dashboard

7. 配置kubernetes-dashboard權(quán)限

dashboard-admin.yaml：

apiVersion: v1
kind: ServiceAccount
metadata:
  name: kubernetes-dashboard
  namespace: kube-system

ClusterRoleBinding.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

8. 獲取kubernetes-dashboard token

kubectl   get secret  -n  kube-system:
kubernetes-dashboard-certs                       Opaque                                0      107m
kubernetes-dashboard-key-holder                  Opaque                                2      107m
kubernetes-dashboard-token-qbjfd                 kubernetes.io/service-account-token   3      107m
kubectl  describe secret  kubernetes-dashboard-token-qbjfd  -n kube-system:
Name:         kubernetes-dashboard-token-qbjfd
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: kubernetes-dashboard
              kubernetes.io/service-account.uid: 79549b62-9747-11e9-a6f0-000c292ece1b

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1xYmpmZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijc5NTQ5YjYyLTk3NDctMTFlOS1hNmYwLTAwMGMyOTJlY2UxYiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.0xm0TkFTJgzGmAUiTDRomaAnsA8fvSolGbkeUVMNVdTLBxmSAb0kLsmobgEqVvQkFeYGu4pisZ0hPkdPf7xtYDk4QVqnW2ov553dnuYUorhQRtqf-jA28u_-j9apfpSRkGSl30bjpJlmEXlilccfeKDitBTjMvKqRy51eRpqiseGhLwLxAoDZgRLM7g1mkpuzLGritI90AVEZFXJAwPmZU8G31s8EWR69Yv5yDcxAjKGDhf85q6UdCwS9Xkl10GMSeHrdwpem478FGriLWzsdmYUYwiNfE8E7ijwW3xit7z1NoeTUOtPRDakV7YGHHjHAuFZfo6hK_13-OxO9M5bUw

9. 完成安裝

image.png

參考文檔：https://zhuanlan.zhihu.com/p/49614443?utm_source=wechat_session&utm_medium=social&utm_oi=849326389449621504