Kubernetes單節(jié)點安裝—基于官方工具kubeadm的安裝方式

要說國內(nèi)安裝K8S最大的問題俘闯,可能就是gcr的鏡像問題盒音,因為眾所周知的一些原因侥袜,我們在安裝K8S的時候舱权,需要提前準備相應的gcr鏡像, 否則安裝過程無法進行下去. 好在包括aliyun在內(nèi)的很多網(wǎng)站提供了gcr的鏡像募胃,我們可以從這些網(wǎng)站pull鏡像到本地后旗唁,再tag一下

1. 首先安裝CRI

這里使用Docker作為runtime, 安裝過程不再詳述,ubuntu和centos可參考官方文檔
或者使用腳本方式快速安裝 :
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun

2. 準備gcr鏡像

這里我們使用aliyun的鏡像痹束,并使用load.sh腳本來讀取images.list來pull并tag:
images.list:
kube-scheduler:v1.12.1 k8s.gcr.io/kube-scheduler:v1.12.1
kube-apiserver:v1.12.1 k8s.gcr.io/kube-apiserver:v1.12.1
etcd:3.2.24 k8s.gcr.io/etcd:3.2.24
kube-controller-manager:v1.12.1 k8s.gcr.io/kube-controller-manager:v1.12.1
coredns:1.2.2 k8s.gcr.io/coredns:1.2.2
kube-proxy:v1.12.1 k8s.gcr.io/kube-proxy:v1.12.1
pause:3.1 k8s.gcr.io/pause:3.1
kubernetes-dashboard-amd64:v1.10.0 k8s.gcr.io/kubernetes-dashboard-amd64:v1.12.1
tiller:v2.11.0 gcr.io/kubernetes-helm/tiller:v2.11.0
load.sh:
#/bin/bash

while read line
do
  echo $line
  arr=($line)
  src_image=registry.cn-hangzhou.aliyuncs.com/google_containers/${arr[0]}
  target_image=${arr[1]}
  docker pull $src_image
  docker tag $src_image $target_image
  docker rmi $src_image
done < "images.list"
在master節(jié)點和worker節(jié)點執(zhí)行l(wèi)oad.sh以后, docker images 應該包含如下類似內(nèi)容
k8s.gcr.io/kube-proxy                           v1.12.1                61afff57f010        5 weeks ago         96.6MB
k8s.gcr.io/kube-scheduler                    v1.12.1                d773ad20fd80        5 weeks ago         58.3MB
k8s.gcr.io/kube-controller-manager      v1.12.1                aa2dd57c7329        5 weeks ago         164MB
k8s.gcr.io/kube-apiserver                     v1.12.1                dcb029b5e3ad        5 weeks ago         194MB
gcr.io/kubernetes-helm/tiller                 v2.11.0                ac5f7ee9ae7e        6 weeks ago         71.8MB
k8s.gcr.io/etcd                                      3.2.24                 3cab8e1b9802        7 weeks ago         220MB
k8s.gcr.io/coredns                                1.2.2                   367cdc8433a4        2 months ago        39.2MB
k8s.gcr.io/kubernetes-dashboard-amd64   v1.12.1         0dab2435c100        2 months ago        122MB
k8s.gcr.io/pause                                    3.1                     da86e6ba6ca1        10 months ago       742k
apiserver, scheduler等可以不用在worker節(jié)點pull, 另外如果對應其它K8S版本kubeadm, 那么可以使用對應版本的kubeadm
kubeadm config images list
來查看具體需要的鏡像版本(這個命令需要連googleapi服務器检疫,連不上可以多試幾次)
至此,gcr的鏡像我們已經(jīng)準備完畢祷嘶,其它鏡像因為不是gcr的屎媳,無需翻.... 所以可以在安裝過程中下載, 當然你也可以提前準備好.

3. 安裝工具

到這一步,我們需要在master和worker節(jié)點上安裝kubeadm, kubelet, kubectl 3個工具, 這里我們同樣使用aliyun的鏡像作為apt的source
curl -s https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add -
echo "deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list
apt update
apt install -V kubeadm=1.12.1-00 kubectl=1.12.1-00 kubelet=1.12.1-00  
apt-mark hold kubelet kubeadm kubectl
注意后面的apt-mark是必要的论巍,否則在apt更新的時候烛谊,以上3個工具會更新, 導致版本不一致, 成功后執(zhí)行kubeadm version確認版本
安裝 kubernetes-cni:
apt-cache  madison kubernetes-cni
kubernetes-cni |   0.7.5-00 | https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial/main amd64 Packages
kubernetes-cni |   0.6.0-00 | https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial/main amd64 Packages
kubernetes-cni |   0.5.1-00 | https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial/main amd64 Packages
kubernetes-cni | 0.3.0.1-07a8a2-00 | https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial/main amd64 Packages
apt-get install kubernetes-cni=0.6.0-00

4. Master初始化

在master節(jié)點, 執(zhí)行如下命令
kubeadm init --pod-network-cidr=10.244.0.0/16
因為下文我們使用的CNI是flannel網(wǎng)絡,所以參數(shù) --pod-network-cidr 使用 10.244.0.0/16, 其它CNI需要使用對應的參數(shù)嘉汰,成功執(zhí)行后丹禀,記錄下最后一行的提示, 類似形式:
kubeadm join --token <token> <master-ip>:<master-port> --discovery-token-ca-cert-hash sha256:<hash>
這行命令是worker加入節(jié)點時使用的,如果忘記了鞋怀,或者之后過期了也沒關(guān)系(token 24小時有效), 可以通過
kubeadm token list
找回token双泪,或者創(chuàng)建一個新的token
kubeadm token create
hashing值可以通過在master執(zhí)行以下命令獲取
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | \
   openssl dgst -sha256 -hex | sed 's/^.* //'
如果kubeadm init執(zhí)行失敗,或者參數(shù)有誤密似,那么可以通過kubeadm reset重置后(reset后最好重啟下系統(tǒng)), 再重新init, 錯誤原因需要根據(jù)具體提示信息查找.
下面, 我們設置環(huán)境變量, 在用戶目錄下打開 .bashrc文件焙矛, 在最后添加以下3行
export KUBECONFIG=/etc/kubernetes/admin.conf
alias kc=kubectl
source <(kubectl completion bash | sed s/kubectl/kc/g)
保存文件后退出,并執(zhí)行

source .bashrc

這些腳本的目的是設置KUBECONFIG變量指向admin.conf文件残腌,讓kubectl讀取該配置y以訪問apiserver, 同時設置kubectl的別名為kc, 并設置bash completion村斟,即自動拼寫完成. 成功后剪返,你可以通過以下命令來查看pod的運行狀況:
kc get pod --all-namespace -o wide

5. 安裝flannel網(wǎng)絡插件

下面我們apply cni網(wǎng)絡,如前所述邓梅,這里使用flannel網(wǎng)絡, 首先執(zhí)行
sysctl net.bridge.bridge-nf-call-iptables=1
作用是傳遞橋接的IPv4流量到iptables chains, 然后執(zhí)行以下命令應用cni網(wǎng)絡
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/bc79dd1505b0c8681ece4de4c0d86c5cd2643275/Documentation/kube-flannel.yml

6. 安裝kubernetes-dashboard

下載kubernetes-dashboard.yaml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# ------------------- Dashboard Secret ------------------- #

apiVersion: v1
kind: Secret
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kube-system
type: Opaque

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
rules:
  # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
  # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create"]
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
  verbs: ["get", "update", "delete"]
  # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["kubernetes-dashboard-settings"]
  verbs: ["get", "update"]
  # Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
  resources: ["services"]
  resourceNames: ["heapster"]
  verbs: ["proxy"]
- apiGroups: [""]
  resources: ["services/proxy"]
  resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
  verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubernetes-dashboard-minimal
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1beta2
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
      - name: kubernetes-dashboard
        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.12.1
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 8443
          protocol: TCP
        args:
          - --auto-generate-certificates
          # Uncomment the following line to manually specify Kubernetes API server Host
          # If not specified, Dashboard will attempt to auto discover the API server and connect
          # to it. Uncomment only if the default does not work.
          # - --apiserver-host=http://my-address:port
        volumeMounts:
        - name: kubernetes-dashboard-certs
          mountPath: /certs
          # Create on-disk volume to store exec logs
        - mountPath: /tmp
          name: tmp-volume
        livenessProbe:
          httpGet:
            scheme: HTTPS
            path: /
            port: 8443
          initialDelaySeconds: 30
          timeoutSeconds: 30
      volumes:
      - name: kubernetes-dashboard-certs
        secret:
          secretName: kubernetes-dashboard-certs
      - name: tmp-volume
        emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kube-system
spec:
  type: NodePort
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30001
  selector:
    k8s-app: kubernetes-dashboard

7. 配置kubernetes-dashboard權(quán)限

dashboard-admin.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kubernetes-dashboard
  namespace: kube-system
ClusterRoleBinding.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: kubernetes-dashboard
  namespace: kube-system

8. 獲取kubernetes-dashboard token

kubectl   get secret  -n  kube-system:
kubernetes-dashboard-certs                       Opaque                                0      107m
kubernetes-dashboard-key-holder                  Opaque                                2      107m
kubernetes-dashboard-token-qbjfd                 kubernetes.io/service-account-token   3      107m
kubectl  describe secret  kubernetes-dashboard-token-qbjfd  -n kube-system:
Name:         kubernetes-dashboard-token-qbjfd
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: kubernetes-dashboard
              kubernetes.io/service-account.uid: 79549b62-9747-11e9-a6f0-000c292ece1b

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1xYmpmZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijc5NTQ5YjYyLTk3NDctMTFlOS1hNmYwLTAwMGMyOTJlY2UxYiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.0xm0TkFTJgzGmAUiTDRomaAnsA8fvSolGbkeUVMNVdTLBxmSAb0kLsmobgEqVvQkFeYGu4pisZ0hPkdPf7xtYDk4QVqnW2ov553dnuYUorhQRtqf-jA28u_-j9apfpSRkGSl30bjpJlmEXlilccfeKDitBTjMvKqRy51eRpqiseGhLwLxAoDZgRLM7g1mkpuzLGritI90AVEZFXJAwPmZU8G31s8EWR69Yv5yDcxAjKGDhf85q6UdCwS9Xkl10GMSeHrdwpem478FGriLWzsdmYUYwiNfE8E7ijwW3xit7z1NoeTUOtPRDakV7YGHHjHAuFZfo6hK_13-OxO9M5bUw

9. 完成安裝

image.png
參考文檔:https://zhuanlan.zhihu.com/p/49614443?utm_source=wechat_session&utm_medium=social&utm_oi=849326389449621504
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
  • 序言:七十年代末,一起剝皮案震驚了整個濱河市邑滨,隨后出現(xiàn)的幾起案子日缨,更是在濱河造成了極大的恐慌,老刑警劉巖掖看,帶你破解...
    沈念sama閱讀 222,681評論 6 517
  • 序言:濱河連續(xù)發(fā)生了三起死亡事件匣距,死亡現(xiàn)場離奇詭異,居然都是意外死亡哎壳,警方通過查閱死者的電腦和手機毅待,發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 95,205評論 3 399
  • 文/潘曉璐 我一進店門,熙熙樓的掌柜王于貴愁眉苦臉地迎上來归榕,“玉大人尸红,你說我怎么就攤上這事∩残梗” “怎么了外里?”我有些...
    開封第一講書人閱讀 169,421評論 0 362
  • 文/不壞的土叔 我叫張陵,是天一觀的道長特石。 經(jīng)常有香客問我盅蝗,道長,這世上最難降的妖魔是什么姆蘸? 我笑而不...
    開封第一講書人閱讀 60,114評論 1 300
  • 正文 為了忘掉前任墩莫,我火速辦了婚禮,結(jié)果婚禮上逞敷,老公的妹妹穿的比我還像新娘狂秦。我一直安慰自己,他們只是感情好推捐,可當我...
    茶點故事閱讀 69,116評論 6 398
  • 文/花漫 我一把揭開白布故痊。 她就那樣靜靜地躺著,像睡著了一般玖姑。 火紅的嫁衣襯著肌膚如雪愕秫。 梳的紋絲不亂的頭發(fā)上,一...
    開封第一講書人閱讀 52,713評論 1 312
  • 那天,我揣著相機與錄音弦叶,去河邊找鬼燕鸽。 笑死,一個胖子當著我的面吹牛甜孤,可吹牛的內(nèi)容都是我干的协饲。 我是一名探鬼主播,決...
    沈念sama閱讀 41,170評論 3 422
  • 文/蒼蘭香墨 我猛地睜開眼缴川,長吁一口氣:“原來是場噩夢啊……” “哼茉稠!你這毒婦竟也來了?” 一聲冷哼從身側(cè)響起把夸,我...
    開封第一講書人閱讀 40,116評論 0 277
  • 序言:老撾萬榮一對情侶失蹤而线,失蹤者是張志新(化名)和其女友劉穎,沒想到半個月后恋日,有當?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體膀篮,經(jīng)...
    沈念sama閱讀 46,651評論 1 320
  • 正文 獨居荒郊野嶺守林人離奇死亡,尸身上長有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點故事閱讀 38,714評論 3 342
  • 正文 我和宋清朗相戀三年岂膳,在試婚紗的時候發(fā)現(xiàn)自己被綠了誓竿。 大學時的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片。...
    茶點故事閱讀 40,865評論 1 353
  • 序言:一個原本活蹦亂跳的男人離奇死亡谈截,死狀恐怖筷屡,靈堂內(nèi)的尸體忽然破棺而出,到底是詐尸還是另有隱情簸喂,我是刑警寧澤速蕊,帶...
    沈念sama閱讀 36,527評論 5 351
  • 正文 年R本政府宣布,位于F島的核電站娘赴,受9級特大地震影響规哲,放射性物質(zhì)發(fā)生泄漏。R本人自食惡果不足惜诽表,卻給世界環(huán)境...
    茶點故事閱讀 42,211評論 3 336
  • 文/蒙蒙 一唉锌、第九天 我趴在偏房一處隱蔽的房頂上張望。 院中可真熱鬧竿奏,春花似錦袄简、人聲如沸。這莊子的主人今日做“春日...
    開封第一講書人閱讀 32,699評論 0 25
  • 文/蒼蘭香墨 我抬頭看了看天上的太陽。三九已至候址,卻和暖如春吕粹,著一層夾襖步出監(jiān)牢的瞬間,已是汗流浹背岗仑。 一陣腳步聲響...
    開封第一講書人閱讀 33,814評論 1 274
  • 我被黑心中介騙來泰國打工匹耕, 沒想到剛下飛機就差點兒被人妖公主榨干…… 1. 我叫王不留,地道東北人荠雕。 一個月前我還...
    沈念sama閱讀 49,299評論 3 379
  • 正文 我出身青樓稳其,卻偏偏與公主長得像驶赏,于是被迫代替她去往敵國和親。 傳聞我的和親對象是個殘疾皇子既鞠,可洞房花燭夜當晚...
    茶點故事閱讀 45,870評論 2 361