要說國內(nèi)安裝K8S最大的問題俘闯,可能就是gcr的鏡像問題盒音,因為眾所周知的一些原因侥袜,我們在安裝K8S的時候舱权,需要提前準備相應的gcr鏡像, 否則安裝過程無法進行下去. 好在包括aliyun在內(nèi)的很多網(wǎng)站提供了gcr的鏡像募胃,我們可以從這些網(wǎng)站pull鏡像到本地后旗唁,再tag一下
1. 首先安裝CRI
這里使用Docker作為runtime, 安裝過程不再詳述,ubuntu和centos可參考官方文檔
或者使用腳本方式快速安裝 :
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
2. 準備gcr鏡像
這里我們使用aliyun的鏡像痹束,并使用load.sh腳本來讀取images.list來pull并tag:
images.list:
kube-scheduler:v1.12.1 k8s.gcr.io/kube-scheduler:v1.12.1
kube-apiserver:v1.12.1 k8s.gcr.io/kube-apiserver:v1.12.1
etcd:3.2.24 k8s.gcr.io/etcd:3.2.24
kube-controller-manager:v1.12.1 k8s.gcr.io/kube-controller-manager:v1.12.1
coredns:1.2.2 k8s.gcr.io/coredns:1.2.2
kube-proxy:v1.12.1 k8s.gcr.io/kube-proxy:v1.12.1
pause:3.1 k8s.gcr.io/pause:3.1
kubernetes-dashboard-amd64:v1.10.0 k8s.gcr.io/kubernetes-dashboard-amd64:v1.12.1
tiller:v2.11.0 gcr.io/kubernetes-helm/tiller:v2.11.0
load.sh:
#/bin/bash
while read line
do
echo $line
arr=($line)
src_image=registry.cn-hangzhou.aliyuncs.com/google_containers/${arr[0]}
target_image=${arr[1]}
docker pull $src_image
docker tag $src_image $target_image
docker rmi $src_image
done < "images.list"
在master節(jié)點和worker節(jié)點執(zhí)行l(wèi)oad.sh以后, docker images 應該包含如下類似內(nèi)容
k8s.gcr.io/kube-proxy v1.12.1 61afff57f010 5 weeks ago 96.6MB
k8s.gcr.io/kube-scheduler v1.12.1 d773ad20fd80 5 weeks ago 58.3MB
k8s.gcr.io/kube-controller-manager v1.12.1 aa2dd57c7329 5 weeks ago 164MB
k8s.gcr.io/kube-apiserver v1.12.1 dcb029b5e3ad 5 weeks ago 194MB
gcr.io/kubernetes-helm/tiller v2.11.0 ac5f7ee9ae7e 6 weeks ago 71.8MB
k8s.gcr.io/etcd 3.2.24 3cab8e1b9802 7 weeks ago 220MB
k8s.gcr.io/coredns 1.2.2 367cdc8433a4 2 months ago 39.2MB
k8s.gcr.io/kubernetes-dashboard-amd64 v1.12.1 0dab2435c100 2 months ago 122MB
k8s.gcr.io/pause 3.1 da86e6ba6ca1 10 months ago 742k
apiserver, scheduler等可以不用在worker節(jié)點pull, 另外如果對應其它K8S版本kubeadm, 那么可以使用對應版本的kubeadm
kubeadm config images list
來查看具體需要的鏡像版本(這個命令需要連googleapi服務器检疫,連不上可以多試幾次)
至此,gcr的鏡像我們已經(jīng)準備完畢祷嘶,其它鏡像因為不是gcr的屎媳,無需翻.... 所以可以在安裝過程中下載, 當然你也可以提前準備好.
3. 安裝工具
到這一步,我們需要在master和worker節(jié)點上安裝kubeadm, kubelet, kubectl 3個工具, 這里我們同樣使用aliyun的鏡像作為apt的source
curl -s https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add -
echo "deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list
apt update
apt install -V kubeadm=1.12.1-00 kubectl=1.12.1-00 kubelet=1.12.1-00
apt-mark hold kubelet kubeadm kubectl
注意后面的apt-mark是必要的论巍,否則在apt更新的時候烛谊,以上3個工具會更新, 導致版本不一致, 成功后執(zhí)行kubeadm version確認版本
安裝 kubernetes-cni:
apt-cache madison kubernetes-cni
kubernetes-cni | 0.7.5-00 | https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial/main amd64 Packages
kubernetes-cni | 0.6.0-00 | https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial/main amd64 Packages
kubernetes-cni | 0.5.1-00 | https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial/main amd64 Packages
kubernetes-cni | 0.3.0.1-07a8a2-00 | https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial/main amd64 Packages
apt-get install kubernetes-cni=0.6.0-00
4. Master初始化
在master節(jié)點, 執(zhí)行如下命令
kubeadm init --pod-network-cidr=10.244.0.0/16
因為下文我們使用的CNI是flannel網(wǎng)絡,所以參數(shù) --pod-network-cidr 使用 10.244.0.0/16, 其它CNI需要使用對應的參數(shù)嘉汰,成功執(zhí)行后丹禀,記錄下最后一行的提示, 類似形式:
kubeadm join --token <token> <master-ip>:<master-port> --discovery-token-ca-cert-hash sha256:<hash>
這行命令是worker加入節(jié)點時使用的,如果忘記了鞋怀,或者之后過期了也沒關(guān)系(token 24小時有效), 可以通過
kubeadm token list
找回token双泪,或者創(chuàng)建一個新的token
kubeadm token create
hashing值可以通過在master執(zhí)行以下命令獲取
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | \
openssl dgst -sha256 -hex | sed 's/^.* //'
如果kubeadm init執(zhí)行失敗,或者參數(shù)有誤密似,那么可以通過kubeadm reset重置后(reset后最好重啟下系統(tǒng)), 再重新init, 錯誤原因需要根據(jù)具體提示信息查找.
下面, 我們設置環(huán)境變量, 在用戶目錄下打開 .bashrc文件焙矛, 在最后添加以下3行
export KUBECONFIG=/etc/kubernetes/admin.conf
alias kc=kubectl
source <(kubectl completion bash | sed s/kubectl/kc/g)
保存文件后退出,并執(zhí)行
source .bashrc
這些腳本的目的是設置KUBECONFIG變量指向admin.conf文件残腌,讓kubectl讀取該配置y以訪問apiserver, 同時設置kubectl的別名為kc, 并設置bash completion村斟,即自動拼寫完成. 成功后剪返,你可以通過以下命令來查看pod的運行狀況:
kc get pod --all-namespace -o wide
5. 安裝flannel網(wǎng)絡插件
下面我們apply cni網(wǎng)絡,如前所述邓梅,這里使用flannel網(wǎng)絡, 首先執(zhí)行
sysctl net.bridge.bridge-nf-call-iptables=1
作用是傳遞橋接的IPv4流量到iptables chains, 然后執(zhí)行以下命令應用cni網(wǎng)絡
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/bc79dd1505b0c8681ece4de4c0d86c5cd2643275/Documentation/kube-flannel.yml
6. 安裝kubernetes-dashboard
下載kubernetes-dashboard.yaml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# ------------------- Dashboard Secret ------------------- #
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
# ------------------- Dashboard Service Account ------------------- #
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Role & Role Binding ------------------- #
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
# ------------------- Dashboard Deployment ------------------- #
kind: Deployment
apiVersion: apps/v1beta2
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.12.1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
# ------------------- Dashboard Service ------------------- #
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard
7. 配置kubernetes-dashboard權(quán)限
dashboard-admin.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubernetes-dashboard
namespace: kube-system
ClusterRoleBinding.yaml:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
8. 獲取kubernetes-dashboard token
kubectl get secret -n kube-system:
kubernetes-dashboard-certs Opaque 0 107m
kubernetes-dashboard-key-holder Opaque 2 107m
kubernetes-dashboard-token-qbjfd kubernetes.io/service-account-token 3 107m
kubectl describe secret kubernetes-dashboard-token-qbjfd -n kube-system:
Name: kubernetes-dashboard-token-qbjfd
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard
kubernetes.io/service-account.uid: 79549b62-9747-11e9-a6f0-000c292ece1b
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1xYmpmZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijc5NTQ5YjYyLTk3NDctMTFlOS1hNmYwLTAwMGMyOTJlY2UxYiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.0xm0TkFTJgzGmAUiTDRomaAnsA8fvSolGbkeUVMNVdTLBxmSAb0kLsmobgEqVvQkFeYGu4pisZ0hPkdPf7xtYDk4QVqnW2ov553dnuYUorhQRtqf-jA28u_-j9apfpSRkGSl30bjpJlmEXlilccfeKDitBTjMvKqRy51eRpqiseGhLwLxAoDZgRLM7g1mkpuzLGritI90AVEZFXJAwPmZU8G31s8EWR69Yv5yDcxAjKGDhf85q6UdCwS9Xkl10GMSeHrdwpem478FGriLWzsdmYUYwiNfE8E7ijwW3xit7z1NoeTUOtPRDakV7YGHHjHAuFZfo6hK_13-OxO9M5bUw
9. 完成安裝
image.png