集群間的同一網(wǎng)段部署很簡單涡贱,網(wǎng)上教程很多玷或。但是有的時候想學(xué)習(xí)或者測試之類的種種原因手里沒有足夠的局域網(wǎng)機器的話,想利用多臺異地云服務(wù)器搭建k8s集群的話才建議參考本文翘瓮。
機器準(zhǔn)備
- 主節(jié)點centos7.8(阿里云ECS)
機器名: k8s-master
公網(wǎng)ip:47.9x.17x.9x - 從節(jié)點centos7.9(騰訊云EVM)
機器名: k8s-node1
公網(wǎng)ip:121.4x.9x.7x
設(shè)置hostname
-
master節(jié)點設(shè)置:
hostnamectl set-hostname k8s-master -
node1節(jié)點設(shè)置:
hostnamectl set-hostname k8s-node1
修改/etc/hosts文件
將127.0.0.1 和hostname綁定(所有節(jié)點都需要)
配置節(jié)點間ssh互信
配置ssh互信箱舞,那么節(jié)點之間就能無密訪問遍坟,方便日后執(zhí)行自動化部署
ssh-keygen # 每臺機器執(zhí)行這個命令, 一路回車即可
ssh-keygen -t rsa -C "your_email@example.com"
代碼參數(shù)含義:
-t 指定密鑰類型晴股,默認(rèn)是 rsa 愿伴,可以省略。
-C 設(shè)置注釋文字队魏,比如郵箱公般。
-f 指定密鑰文件存儲文件名。
ssh-copy-id node # 到master上拷貝公鑰到其他節(jié)點胡桨,這里需要輸入 yes和密碼
默認(rèn)的文件名為.ssh/id_rsa.pub
ssh-copy-id -i .ssh/id_rsa.pub 用戶名字@192.168.x.xxx
系統(tǒng)參數(shù)配置
bash:
# 關(guān)閉Selinux
sed -i 's/SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
# 永久關(guān)閉swap區(qū)
swapoff -a
sed -ri 's/.*swap.*/#&/' /etc/fstab
echo "vm.swappiness = 0">> /etc/sysctl.conf
# 修改內(nèi)核參數(shù)
cat <<EOF > /etc/sysctl.d/k8s.conf
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness=0
EOF
sysctl -p /etc/sysctl.d/k8s.conf
# 完整/etc/sysctl.conf 配置
vm.swappiness = 0
kernel.sysrq = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.neigh.default.gc_stale_time = 120
# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
# 生效/etc/sysctl.conf文件設(shè)置
sysctl -p
建立虛擬網(wǎng)卡(所有節(jié)點)
將公網(wǎng)ip當(dāng)做虛擬網(wǎng)卡來對待,以便后續(xù)的k8s集群的pod ip采用公網(wǎng)ip來加入集群
# step1 瞬雹,注意替換你的公網(wǎng)IP進去
cat > /etc/sysconfig/network-scripts/ifcfg-eth0:1 <<EOF
BOOTPROTO=static
DEVICE=eth0:1
IPADDR=你的公網(wǎng)IP
PREFIX=32
TYPE=Ethernet
USERCTL=no
ONBOOT=yes
EOF
# step2 如果是centos8昧谊,需要重啟
systemctl restart network
# step3 查看新建的IP是否進去
ip addr 或者 ifconfig
主機端口設(shè)置
默認(rèn)阿里云ECS所有入網(wǎng)方向端口都需要自己手動開啟,騰訊云EVM入網(wǎng)方向所有端口都放開了酗捌。
-
master端口開放
協(xié)議 方向 端口 說明 TCP 入站 6443 Kubernetes API server TCP 入站 2379-2380 etcd server client API TCP 入站 10250 Kubelet API TCP 入站 10251 kube-scheduler TCP 入站 10252 kube-controller-manager UDP 入站 8472 k8s fannel vxlan 默認(rèn)master是不允許進行非系統(tǒng)的pod部署的呢诬,后續(xù)k8smaster節(jié)點部署起來之后如果執(zhí)行將master允許pod 部署的話(也就是執(zhí)行了下面的命令):
kubectl taint node k8s-master node-role.kubernetes.io/master-那么master節(jié)點也需要開放30000-32767的入站方向的tcp端口
-
node節(jié)點端口開放
協(xié)議 方向 端口 說明 TCP 入站 10250 Kubelet API TCP 入站 30000-32767 k8s NodePort ServicesI
Docker安裝或者升級(master節(jié)點和所有node節(jié)點)
首先查詢關(guān)于docker的軟件包
rpm -qa | grep docker
結(jié)果如下:
查到后開始卸載軟件
yum remove docker-ce*
成功后查看docker版本看看還在不在
docker version
然后執(zhí)行腳本開始升級到最新版本(截止發(fā)文的時候docker的版本是 20.10.0)
curl -fsSL https://get.docker.com/ | sh
查看版本會發(fā)現(xiàn)已經(jīng)升級到最新版
啟動docker
systemctl start docker.service
將docker加入開啟自啟服務(wù)中
systemctl enable docker
最后查看下docker信息
docker info
CentOS7.x系統(tǒng)自帶的3.10.x內(nèi)核存在一些Bug涌哲,Docker運行不穩(wěn)定,建議升級內(nèi)核
#下載內(nèi)核源
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
# 安裝最新版本內(nèi)核
yum --enablerepo=elrepo-kernel install -y kernel-lt
# 查看可用內(nèi)核
cat /boot/grub2/grub.cfg |grep menuentry
# 設(shè)置開機從新內(nèi)核啟動
grub2-set-default "CentOS Linux (4.4.230-1.el7.elrepo.x86_64) 7 (Core)"
# 查看內(nèi)核啟動項
grub2-editenv list
# 重啟系統(tǒng)使內(nèi)核生效
reboot
# 查看內(nèi)核版本是否生效
uname -r
查看是什么系統(tǒng)
lsb_release -a
docker安裝成功后
# 設(shè)置守護程序
cat > /etc/docker/daemon.json <<EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
] ,
"registry-mirrors": ["https://xxxxxx.mirror.aliyuncs.com"]
}
EOF
registry-mirrors中的鏡像地址選擇阿里云的尚镰,也可以選擇別家的
登錄進入阿里云鏡像服務(wù)中心阀圾,獲取鏡像地址
mkdir -p /etc/systemd/system/docker.service.d
重啟Docker服務(wù)
systemctl daemon-reload
systemctl enable docker
systemctl restart docker
Maste節(jié)點部署
當(dāng)上述步驟完成后,我們依照以下步驟來完成主節(jié)點的安裝:
-
Kubeadm以及相關(guān)工具包的安裝(截止發(fā)文的時候k8s的版本是v1.20.0)
安裝腳本如下所示:
# 配置源
echo '#k8s
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
'>/etc/yum.repos.d/kubernetes.repo
# kubeadm和相關(guān)工具包yum -y install kubelet kubeadm kubectl kubernetes-cni安裝成功后的k8s版本為:
重啟kubelet
systemctl daemon-reload systemctl enable kubelet -
批量拉取k8s相關(guān)鏡像
制作下載鏡像的腳本 可按照如下的設(shè)置
vim docker.sh#!/bin/bash url=registry.aliyuncs.com/google_containers version=v1.20.0 images=(`kubeadm config images list --kubernetes-version=$version|awk -F '/' '{print $2}'`) for imagename in ${images[@]} ; do docker pull $url/$imagename docker tag $url/$imagename k8s.gcr.io/$imagename docker rmi -f $url/$imagename done執(zhí)行docker腳本
./docker.sh所有組件pull成功后狗唉。查看
docker images結(jié)果如下所示:
初始化主節(jié)點
默認(rèn)的kubeadm-config.yml文件可以使用以下命令獲瘸鹾妗:
kubeadm config print init-defaults > kubeadm-config.yml
# step1 添加配置文件,注意替換下面的IP
cat > kubeadm-config.yml <<EOF
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 47.9x.17x.9x #master公網(wǎng)ip
bindPort: 6443
nodeRegistration:
criSocket: /var/run/dockershim.sock
name: k8s-master
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.20.0
apiServer:
certSANs: #填寫所有kube-apiserver節(jié)點的hostname分俯、IP肾筐、VIP
- master #請?zhí)鎿Q為hostname
- master節(jié)點的內(nèi)網(wǎng)IP地址 #請?zhí)鎿Q為master內(nèi)網(wǎng)ip
- 47.9x.17x.9x #請?zhí)鎿Q為master公網(wǎng)ip地址
- 10.1.0.1 #不要替換,此IP是serviceSubnet配置的ip地址網(wǎng)段的第一個地址缸剪,API的集群地址吗铐,部分服務(wù)會用到
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16 #pod的網(wǎng)段地址配置
serviceSubnet: 10.1.0.0/16 #service的網(wǎng)段地址配置
scheduler: {}
EOF
# step2 開始初始化,如果是1核心或者1G內(nèi)存的請在末尾添加參數(shù)(--ignore-preflight-errors=all),否則會初始化失敗
kubeadm init --config=kubeadm-config.yml
# 同時注意杏节,此步驟成功后唬渗,會打印,兩個重要信息
# 信息1 上面初始化成功后奋渔,將會生成kubeconfig文件谣妻,用于請求api服務(wù)器,如果想不使用root用戶進行后續(xù)的k8s集群管理的話卒稳,請執(zhí)行下面操作
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
# 信息2 此信息用于后面工作節(jié)點加入主節(jié)點使用,這里的信息需要保存起來蹋半,以便接下來的node節(jié)點能加入集群,此處的token是只能24小時有效期充坑。
kubeadm join 47.9x.17x.9x:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:dd008a0ab88d25d7addb121ab11024d6e7c8e44639d2e48e662eb6319cd40b04
# 初始化過程中可能會報錯:
[ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables contents are not set to 1
解決: echo "1" >/proc/sys/net/bridge/bridge-nf-call-iptables
如果沒有上述文件則使用 modprobe br_netfilter 命令
[ERROR Swap]: running with swap on is not supported. Please disable swap [preflight] If you know what you are doing, you can make a check non-fatal with --ignore-preflight-errors=...
解決:
swapoff -a
vim /etc/fstab
# 將下面的這行注釋掉
#/dev/mapper/rhel-swap swap swap defaults 0 0
# 初始化如果失敗的話减江,想再重新初始化的話執(zhí)行下面操作重置:
kubeadm reset
ifconfig cni0 down
ip link delete cni0
ifconfig flannel.1 down
ip link delete flannel.1
rm -rf /var/lib/cni/
rm -rf /var/lib/etcd
# 如果集群開啟ipvs的話,也需要將ipvs重置捻爷,以確保不受之前的錯誤配置影響
ipvsadm -C
ps:集群token管理
默認(rèn)token的有效期為24小時辈灼,當(dāng)過期之后,該token就不可用了也榄,如果后續(xù)有nodes節(jié)點加入巡莹,解決方法如下:重新生成新的token ==> kubeadm token create
# 1.查看當(dāng)前的token列表
[root@K8S00 ~]# kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
7mjtn4.9kds6sabcouxaugd 23h xxxxx authentication,signing The default bootstrap token generated by 'kubeadm init'. system:bootstrappers:kubeadm:default-node-token
# 2.重新生成新的token
[root@K8S00 ~]# kubeadm token create
369tcl.oe4punpoj9gaijh7
# 3.再次查看當(dāng)前的token列表
[root@K8S00 ~]# kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
369tcl.oe4punpoj9gaijh7 23h xxxxx authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
7mjtn4.9kds6sabcouxaugd 23h xxxxx authentication,signing The default bootstrap token generated by 'kubeadm init'. system:bootstrappers:kubeadm:default-node-token
# 4.獲取ca證書sha256編碼hash值
[root@K8S00 ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
7ae10591aa593c2c36fb965d58964a84561e9ccd416ffe7432550a0d0b7e4f90
# 5.節(jié)點加入集群
[root@k8s-node03 ~]# kubeadm join --token 369tcl.oe4punpoj9gaijh7(新的token) --discovery-token-ca-cert-hash sha256:7ae10591aa593c2c36fb965d58964a84561e9ccd416ffe7432550a0d0b7e4f90(ca證書sha256編碼hash值) 47.9x.17x.9x:6443 --ski
至此,master節(jié)點部署完畢甜紫,現(xiàn)在來查看下pod運行情況
kubectl get pod -n kube-system
# 查看一下集群pod降宅,確認(rèn)個組件都處于Running 狀態(tài)
# 注意由于此時k8s的cni組件還沒部署,此時的dns日志里面應(yīng)該會報錯囚霸,等待cni組件中腰根,所以coredns 暫時還無法正常啟動。
使用 kubectl get pod -n kube-system -o wide 命令查看的話可以看到系統(tǒng)pod節(jié)點加入的ip地址均為公網(wǎng)ip
# 出于安全考慮拓型,默認(rèn)配置下Kubernetes不會將Pod調(diào)度到Master節(jié)點额嘿。如果希望將k8s-master也當(dāng)作Node使用瘸恼,可以執(zhí)行如下命令:
kubectl taint node k8s-master node-role.kubernetes.io/master-
其中k8s-master是主機節(jié)點hostname如果要恢復(fù)Master Only狀態(tài),執(zhí)行如下命令:
kubectl taint node k8s-master node-role.kubernetes.io/master="":NoSchedule
kube-proxy代理方案由iptables改為ipvs
這里的kube-proxy組件默認(rèn)是使用iptables方案進行啟動的册养,我們來將它改成由ipvs方式啟動
1.加載內(nèi)核亩В快
cat >> /etc/sysctl.conf << EOF
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
sysctl -p
lsmod|grep ip_vs
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
yum install ipvsadm ipset -y
2.修改kube-proxy配置
kubectl edit configmap kube-proxy -n kube-system
minSyncPeriod: 0s
scheduler: ""
syncPeriod: 30s
kind: KubeProxyConfiguration
metricsBindAddress: 127.0.0.1:10249
mode: "ipvs" # 修改此處
nodePortAddresses: null
3.刪除所有kube-proxy的pod
kubectl delete pod xxx -n kube-system
4.校驗
kubectl logs kube-proxy-xxx -n kube-system 日志出現(xiàn)Using ipvs Proxier即可
5.檢查ipvs代理規(guī)則
kubectl get svc --all-namespaces
# ipvsadm -ln
#可以看到service對應(yīng)的很多規(guī)則
給集群部署flannel 網(wǎng)絡(luò)組件
fannel簡單易用,無特殊需求采用這種方案,它目前默認(rèn)采用vxlan模式工作球拦,xvlan采用udp 8472端口和各個節(jié)點通信
Flnnel的VXLAN模式有兩種:
VXLAN: 原生的VXLAN靠闭,即擴展的虛擬LAN
Directrouting:直接路由型
下載fannel文件
wget https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel.yml
# 共修改兩個地方,一個是args下刘莹,添加
args:
- --public-ip=$(PUBLIC_IP) # 添加此參數(shù)阎毅,申明公網(wǎng)IP
- --iface=eth0 # 添加此參數(shù),綁定網(wǎng)卡
# 然后是env下
env:
- name: PUBLIC_IP #添加環(huán)境變量
valueFrom:
fieldRef:
fieldPath: status.podIP
# 此處將vxlan工作模式改為Directrouting+vxlan結(jié)合的方式,它具有如果兩個節(jié)點在同一網(wǎng)段時使用host-gw通信点弯,如果不在同一網(wǎng)段中扇调,即 當(dāng)前pod所在節(jié)點與目標(biāo)pod所在節(jié)點中間有路由器,就使用VXLAN這種方式抢肛,使用疊加網(wǎng)絡(luò)的優(yōu)點狼钮。
# 需要將configmap中的net-conf.json做調(diào)整:
net-conf.json: |
{
"Network": "10.244.0.0/16",
"Backend": {
"Type": "vxlan",
"Directrouting": true #添加該屬性
}
}
# 最終完整的文件為:
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: psp.flannel.unprivileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
privileged: false
volumes:
- configMap
- secret
- emptyDir
- hostPath
allowedHostPaths:
- pathPrefix: '/etc/cni/net.d'
- pathPrefix: '/etc/kube-flannel'
- pathPrefix: '/run/flannel'
readOnlyRootFilesystem: false
# Users and groups
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
fsGroup:
rule: RunAsAny
# Privilege Escalation
allowPrivilegeEscalation: false
defaultAllowPrivilegeEscalation: false
# Capabilities
allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
defaultAddCapabilities: []
requiredDropCapabilities: []
# Host namespaces
hostPID: false
hostIPC: false
hostNetwork: true
hostPorts:
- min: 0
max: 65535
# SELinux
seLinux:
# SELinux is unused in CaaSP
rule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['psp.flannel.unprivileged']
- apiGroups:
- ''
resources:
- pods
verbs:
- get
- apiGroups:
- ''
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ''
resources:
- nodes/status
verbs:
- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flannel
namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
namespace: kube-system
labels:
tier: node
app: flannel
data:
cni-conf.json: |
{
"name": "cbr0",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
net-conf.json: |
{
"Network": "10.244.0.0/16",
"Backend": {
"Type": "vxlan",
"Directrouting": true
}
}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds
namespace: kube-system
labels:
tier: node
app: flannel
spec:
selector:
matchLabels:
app: flannel
template:
metadata:
labels:
tier: node
app: flannel
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
hostNetwork: true
priorityClassName: system-node-critical
tolerations:
- operator: Exists
effect: NoSchedule
serviceAccountName: flannel
initContainers:
- name: install-cni
image: quay.io/coreos/flannel:v0.13.1-rc1
command:
- cp
args:
- -f
- /etc/kube-flannel/cni-conf.json
- /etc/cni/net.d/10-flannel.conflist
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: flannel-cfg
mountPath: /etc/kube-flannel/
containers:
- name: kube-flannel
image: quay.io/coreos/flannel:v0.13.1-rc1
command:
- /opt/bin/flanneld
args:
- --ip-masq
- --kube-subnet-mgr
- --public-ip=$(PUBLIC_IP) # 添加此參數(shù),申明公網(wǎng)IP
- --iface=eth0 # 添加此參數(shù)捡絮,綁定網(wǎng)卡
resources:
requests:
cpu: '100m'
memory: '50Mi'
limits:
cpu: '100m'
memory: '50Mi'
securityContext:
privileged: false
capabilities:
add: ['NET_ADMIN', 'NET_RAW']
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: PUBLIC_IP #添加環(huán)境變量
valueFrom:
fieldRef:
fieldPath: status.podIP
volumeMounts:
- name: run
mountPath: /run/flannel
- name: flannel-cfg
mountPath: /etc/kube-flannel/
volumes:
- name: run
hostPath:
path: /run/flannel
- name: cni
hostPath:
path: /etc/cni/net.d
- name: flannel-cfg
configMap:
name: kube-flannel-cfg
執(zhí)行fannel文件:
kubectl apply -f kube-fannel.yml
執(zhí)行完后可以在查看k8s集群的pod節(jié)點:
kubectl get pod -n kube-system -o wide
可以發(fā)現(xiàn)此時fannel和dns都啟動成功熬芜。
# 刷新coredns報錯 Failed to list *v1.Namespace: Get "https://10.1.0.1:443/api/v1/namespaces?limit=500&resourceVersion=0": dial tcp 10.1.0.1:443: connect: no route to host
很有可能是防火墻(iptables)規(guī)則錯亂或者緩存導(dǎo)致的,可以依次執(zhí)行以下命令進行解決:
systemctl stop kubelet
systemctl stop docker
iptables --flush
iptables -tnat --flush
systemctl start kubelet
systemctl start docker
至此master節(jié)點pod全部部署完畢福稳。
檢查集群狀態(tài)(選做)
kubectl get cs
會發(fā)現(xiàn)此時其實 scheduler 和controller manager 健康檢查是失敗的
- 先檢查這兩個端口是否啟動了
telnet或者ps都可以查看 - 確認(rèn)kube-scheduler和kube-controller-manager組件配置是否禁用了非安全端口
配置文件路徑:
/etc/kubernetes/manifests/kube-scheduler.conf
/etc/kubernetes/manifests/kube-controller-manager.yaml
如controller-manager組件的配置如下:可以去掉--port=0這個設(shè)置涎拉,
clipboard.png
然后重啟 sudo systemctl restart kubelet
重新查看 kubectl get cs 應(yīng)該就解決問題了。
配置k8s集群 命令補全
(僅master)
yum install -y bash-completion
source <(kubectl completion bash)
echo "source <(kubectl completion bash)" >> ~/.bashrc
source ~/.bashrc
工作節(jié)點部署
安裝k8s步驟和主節(jié)點一樣的圆,直到初始化master節(jié)點這里時鼓拧,在ndoe節(jié)點不需要初始化,而是執(zhí)行join命令加入master節(jié)點
執(zhí)行join命令前需要做調(diào)整越妈。
修改kubelet啟動參數(shù)(重點季俩,所有node節(jié)點都要操作)
# 此文件安裝kubeadm后就存在了
vim /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
# 注意,這步很重要梅掠,如果不做酌住,節(jié)點仍然會使用內(nèi)網(wǎng)IP注冊進集群
# 在末尾添加參數(shù) --node-ip=node節(jié)點的公網(wǎng)IP
# Note: This dropin only works with kubeadm and kubelet v1.11+
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
# This is a file that "kubeadm init" and "kubeadm join" generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically
EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env
# This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use
# the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.
EnvironmentFile=-/etc/sysconfig/kubelet
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS --node-ip=121.4x.9x.7x
執(zhí)行剛才master提示的join命令
kubeadm join 47.9x.17x.9x:6443 --token abcdef.0123456789abcdef
--discovery-token-ca-cert-hash sha256:dd008a0ab88d25d7addb121ab11024d6e7c8e44639d2e48e662eb6319cd40b04
待執(zhí)行完畢再查看集群。
重置k8s集群
在搭建集群時阎抒,可能會遇到節(jié)點配置失敗的情況酪我,此時可以將該節(jié)點移出集群,在將節(jié)點移出集群時挠蛉,應(yīng)該將該節(jié)點上正在運行的Pod進行驅(qū)離祭示。
例如:
驅(qū)離名為"k8s-node-1"的節(jié)點上的pod(master上操作)
[root@k8s-master ~]# kubectl drain k8s-node-1 --delete-local-data --force --ignore-daemonsets
刪除節(jié)點(master上)
[root@k8s-master ~]# kubectl delete node k8s-node-1
重置節(jié)點(node上-也就是在被刪除的節(jié)點上)
[root@k8s-node-1 ~]# kubeadm reset
需要注意:
注1:需要把master也驅(qū)離、刪除谴古、重置质涛,這里給我坑死了,第一次沒有驅(qū)離和刪除master掰担,最后的結(jié)果是查看結(jié)果一切正常汇陆,但coredns死活不能用,切勿嘗試
到此带饱,整個k8s集群部署完畢毡代,接下來需要對集群進行驗證,看各個節(jié)點是否可用勺疼,部署svc服務(wù)或者pod時網(wǎng)段是否能互相訪問教寂,考慮到本文篇幅已經(jīng)太長了,后續(xù)再進行驗證执庐。
