kubernetes1.15 install for kubeadm
安裝條件
- 阿里云鏡像服務器訪問暢通
- dockerhub可以訪問
- Centos7.7系統(tǒng)
Base-server方式安裝 - 必要的docker k8s基礎知識
集群創(chuàng)建前的準備
| ip地址 | 節(jié)點角色 | CPU | 內(nèi)存 | 主機名 | 存儲 |
|---|---|---|---|---|---|
| 192.168.100.101.111 | master | 2c | 4G | k8s-master001 | 200GB |
| 192.168.100.101.121 | worker | 2c | 4G | k8s-node001 | 200GB |
| 192.168.100.101.122 | worker | 2c | 4G | k8s-node002 | 200GB |
| 192.168.100.101.123 | worker | 2c | 4G | k8s-node003 | 200GB |
| 192.168.100.101.124 | worker | 2c | 4G | k8s-node004 | 200GB |
部署環(huán)境為nat模式下的內(nèi)網(wǎng)服務器,即家庭網(wǎng)絡環(huán)境凄硼、辦公室網(wǎng)絡環(huán)境
一脆淹、服務器環(huán)境初始化
- 設置hostname 在不同的機器上執(zhí)行以下命令
hostnamectl set-hostname k8s-master001
hostnamectl set-hostname k8s-node001
hostnamectl set-hostname k8s-node002
hostnamectl set-hostname k8s-node003
hostnamectl set-hostname k8s-node004
修改
/etc/sysconfig/network增加HOSTNAME=k8s-master001,注意更改為相應的主機名喔
- 關閉防火墻、swap情龄、selinux
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
swapoff -a
sed -i 's/.*swap.*/#&/' /etc/fstab
- 修改內(nèi)核參數(shù)、將橋接網(wǎng)卡的ipv4流量轉(zhuǎn)發(fā)到iptables的鏈表
cat /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
- 執(zhí)行sysctl 載入配置文件參數(shù)
modprobe br_netfilter
sysctl --system
- 增加ipvs的開啟參數(shù)
cat /etc/sysconfig/modules/ipvs.modules
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
- 增加ipvs.modules文件可執(zhí)行權(quán)限
chmod 755 /etc/sysconfig/modules/ipvs.modules
/bin/bash -x /etc/sysconfig/modules/ipvs.modules
lsmod | grep "ip_vs"
- 增加阿里云
epelyum源
CentOS-Base有163的源,速度很快不用更換,如果是阿里云服務器建議使用阿里云CentOS-Base內(nèi)網(wǎng)更快
yum install -y wget
#wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all && yum makecache
- 增加
k8s``docker-ceyum源
cat /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
該內(nèi)容可以通過 opsx.alibaba.com搜索
kubernetes``幫助獲取
增加docker-ceyum源
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
- 安裝依賴包
yum -y install ipset ipvsadm yum-utils device-mapper-persistent-data lvm2
- 查看yum倉庫中
Docker版本 一定要加上--showduplicates參數(shù),不然只會出現(xiàn)最新版本的rpm包
[root@k8s-master001 ~]# yum list docker-ce.x86_64 --showduplicates |sort -r
Loading mirror speeds from cached hostfile
Loaded plugins: fastestmirror
Installed Packages
docker-ce.x86_64 3:19.03.2-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.1-3.el7 docker-ce-stable
docker-ce.x86_64 3:19.03.0-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.9-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.8-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.7-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.7-3.el7 @docker-ce-stable
docker-ce.x86_64 3:18.09.6-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.5-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.4-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.3-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.2-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.1-3.el7 docker-ce-stable
docker-ce.x86_64 3:18.09.0-3.el7 docker-ce-stable
docker-ce.x86_64 18.06.3.ce-3.el7 docker-ce-stable
docker-ce.x86_64 18.06.2.ce-3.el7 docker-ce-stable
docker-ce.x86_64 18.06.1.ce-3.el7 docker-ce-stable
docker-ce.x86_64 18.06.0.ce-3.el7 docker-ce-stable
docker-ce.x86_64 18.03.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 18.03.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.12.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.12.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.09.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.09.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.06.2.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.06.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.06.0.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.03.3.ce-1.el7 docker-ce-stable
docker-ce.x86_64 17.03.2.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.03.1.ce-1.el7.centos docker-ce-stable
docker-ce.x86_64 17.03.0.ce-1.el7.centos docker-ce-stable
- Install
Docker
yum makecache fast
yum install -y --setopt=obsoletes=0 docker-ce-18.09.8-3.el7.x86_64
systemctl start docker
systemctl enable docker
增加
--setopt=obsoletes=0
obsoletes=value
…where value is one of:
0 — Disable yum's obsoletes processing logic when performing updates.
1 — Enable yum's obsoletes processing logic when performing updates. When one package declares in its spec file that it obsoletes another package, the latter package will be replaced by the former package when the former package is installed. Obsoletes are declared, for example, when a package is renamed. obsoletes=1 the default.
查看iptables filter表中FOWARD鏈表中策略是否為
ACCEPT放行狀態(tài)惰爬。如果不是執(zhí)行iptables -P FORWARD ACCEPT
[root@k8s-master001 k8s-yum]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
查看Docker cgroup driver狀態(tài)是否為systemd,如果不是systemd請修改配置文件改回systemd
[root@k8s-master001 ~]# docker info | grep Cgroup
Cgroup Driver: systemd
cat /etc/docker/daemon.json #如果不是請修改配置文件
{
"exec-opts": ["native.cgroupdriver=systemd"]
}
- 重啟docker 使配置生效
systemctl restart docker
- Install kubeadm、kubelet
yum install -y kubelet-1.15.3-0.x86_64 kubeadm-1.15.3-0.x86_64 kubelet-1.15.3-0.x86_64
-
kubelet啟動并設置開機啟動
systemctl start kubelet.service
systemctl enable kubelet.service
- 查看集群默認的初始化配置信息
kubeadm config print init-defaults
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 1.2.3.4
bindPort: 6443
nodeRegistration:
criSocket: /var/run/dockershim.sock
name: k8s-master001
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.15.0
networking:
dnsDomain: cluster.local
serviceSubnet: 10.96.0.0/12
scheduler: {}
其中advertiseAddress是指api-server的ip地址惫企,也就是k8s-master001內(nèi)網(wǎng)ip地址192.168.101.111撕瞧。
serviceSubnet是集群將要采用的網(wǎng)段地址,我們使用10.244.0.0/16。
- 初始化k8s集群在
k8s-master001上操作
kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=192.168.101.111 --ignore-preflight-errors=Swap
執(zhí)行后發(fā)現(xiàn)會報以下錯誤,這是因為無法訪問k8s.gcr.io網(wǎng)站丛版。
[root@k8s-master001 ~]# kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=192.168.101.111 --ignore-preflight-errors=Swap
W0913 00:40:38.345859 31641 version.go:98] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.txt": Get https://dl.k8s.io/release/stable-1.txt: dial tcp: lookup dl.k8s.io on [::1]:53: read udp [::1]:60967->[::1]:53: read: connection refused
W0913 00:40:38.346081 31641 version.go:99] falling back to the local client version: v1.15.3
[init] Using Kubernetes version: v1.15.3
[preflight] Running pre-flight checks
[WARNING Hostname]: hostname "k8s-master001" could not be reached
[WARNING Hostname]: hostname "k8s-master001": lookup k8s-master001 on [::1]:53: read udp [::1]:45558->[::1]:53: read: connection refused
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
error execution phase preflight: [preflight] Some fatal errors occurred:
[ERROR ImagePull]: failed to pull image k8s.gcr.io/kube-apiserver:v1.15.3: output: Error response from daemon: Get https://k8s.gcr.io/v2/: dial tcp: lookup k8s.gcr.io on [::1]:53: read udp [::1]:51990->[::1]:53: read: connection refused
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/kube-controller-manager:v1.15.3: output: Error response from daemon: Get https://k8s.gcr.io/v2/: dial tcp: lookup k8s.gcr.io on [::1]:53: read udp [::1]:43086->[::1]:53: read: connection refused
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/kube-scheduler:v1.15.3: output: Error response from daemon: Get https://k8s.gcr.io/v2/: dial tcp: lookup k8s.gcr.io on [::1]:53: read udp [::1]:55885->[::1]:53: read: connection refused
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/kube-proxy:v1.15.3: output: Error response from daemon: Get https://k8s.gcr.io/v2/: dial tcp: lookup k8s.gcr.io on [::1]:53: read udp [::1]:48386->[::1]:53: read: connection refused
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/pause:3.1: output: Error response from daemon: Get https://k8s.gcr.io/v2/: dial tcp: lookup k8s.gcr.io on [::1]:53: read udp [::1]:43804->[::1]:53: read: connection refused
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/etcd:3.3.10: output: Error response from daemon: Get https://k8s.gcr.io/v2/: dial tcp: lookup k8s.gcr.io on [::1]:53: read udp [::1]:49557->[::1]:53: read: connection refused
, error: exit status 1
[ERROR ImagePull]: failed to pull image k8s.gcr.io/coredns:1.3.1: output: Error response from daemon: Get https://k8s.gcr.io/v2/: dial tcp: lookup k8s.gcr.io on [::1]:53: read udp [::1]:51683->[::1]:53: read: connection refused
, error: exit status 1
[preflight] If you know what you are doing, you can make a check non-fatal with `--ignore-preflight-errors=...`
- 換源設置改為阿里云,查看需要的容器鏡像
kubeadm config images list
[root@k8s-master001 ~]# kubeadm config images list
W0913 00:44:21.703361 32321 version.go:98] could not fetch a Kubernetes version from the internet: unable to get URL "https://dl.k8s.io/release/stable-1.txt": Get https://dl.k8s.io/release/stable-1.txt: dial tcp: lookup dl.k8s.io on [::1]:53: read udp [::1]:37790->[::1]:53: read: connection refused
W0913 00:44:21.703519 32321 version.go:99] falling back to the local client version: v1.15.3
k8s.gcr.io/kube-apiserver:v1.15.3
k8s.gcr.io/kube-controller-manager:v1.15.3
k8s.gcr.io/kube-scheduler:v1.15.3
k8s.gcr.io/kube-proxy:v1.15.3
k8s.gcr.io/pause:3.1
k8s.gcr.io/etcd:3.3.10
k8s.gcr.io/coredns:1.3.1
- pull阿里云鏡像Images更改tag
溫馨提示:雖然是國內(nèi)源但pull過程依然有些慢,建議沖杯咖啡咨跌、奶茶
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.15.3
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.15.3
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.15.3
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.15.3
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.1
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.3.10
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.3.1
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.15.3 k8s.gcr.io/kube-apiserver:v1.15.3
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.15.3 k8s.gcr.io/kube-controller-manager:v1.15.3
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.15.3 k8s.gcr.io/kube-scheduler:v1.15.3
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.15.3 k8s.gcr.io/kube-proxy:v1.15.3
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.1 k8s.gcr.io/pause:3.1
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.3.10 k8s.gcr.io/etcd:3.3.10
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.3.1 k8s.gcr.io/coredns:1.3.1
- 再次執(zhí)行集群初始化操作
[root@k8s-master001 tmp]# kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=192.168.101.111 --ignore-preflight-errors=Swap
[init] Using Kubernetes version: v1.15.3
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Activating the kubelet service
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [k8s-master001 localhost] and IPs [192.168.101.111 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [k8s-master001 localhost] and IPs [192.168.101.111 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [k8s-master001 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.101.111]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[kubelet-check] Initial timeout of 40s passed.
[apiclient] All control plane components are healthy after 44.009526 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.15" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node k8s-master001 as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node k8s-master001 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[bootstrap-token] Using token: f3xr55.iv29dsas70lrf0jo
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.101.111:6443 --token f3xr55.iv29dsas70lrf0jo \
--discovery-token-ca-cert-hash sha256:2f939d02abb31a087b4c3f4b1202c4efeaa6f9ee165abb705f8e2b19d41e132c
- 根據(jù)輸出提示進行以下操作
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
- 保存記錄好節(jié)點加入集群命令
kubeadm join 192.168.101.111:6443 --token f3xr55.iv29dsas70lrf0jo \
--discovery-token-ca-cert-hash sha256:2f939d02abb31a087b4c3f4b1202c4efeaa6f9ee165abb705f8e2b19d41e132c
- 注意除了集群初始化操作在k8s-master001上執(zhí)行,其它的操作每個節(jié)點都要執(zhí)行
二、node節(jié)點加入集群
- 執(zhí)行
kubeadm join輸出以下信息即為成功,其中的WARNING是因為/etc/hosts沒有配置,忽略即可沒有影響
[root@k8s-node001 tmp]# kubeadm join 192.168.101.111:6443 --token f3xr55.iv29dsas70lrf0jo \
--discovery-token-ca-cert-hash sha256:2f939d02abb31a087b4c3f4b1202c4efeaa6f9ee165abb705f8e2b19d41e132c
[preflight] Running pre-flight checks
[WARNING Hostname]: hostname "k8s-node001" could not be reached
[WARNING Hostname]: hostname "k8s-node001": lookup k8s-node001 on 192.168.100.37:53: no such host
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.15" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Activating the kubelet service
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
- Tips:第三天k8s-node003加入集群報錯
error execution phase preflight: couldn't validate the identity of the API Server: abort connecting to API servers after timeout of 5m0s
集群運行一段時間后 后續(xù)加入節(jié)點的時候提示上面這個錯誤,是master
token證書過期,好像有效期只有24小時,創(chuàng)建新的token即可解決硼婿,方法如下锌半。
[root@k8s-master001 ~]# kubeadm token create
2cwxr3.01v9qv5kbt69fzxa
[root@k8s-master001 ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | awk {'print $2'}
2f939d02abb31a087b4c3f4b1202c4efeaa6f9ee165abb705f8e2b19d41e132c
- 使用新token添加新節(jié)點
[root@k8s-node003 ~]# kubeadm join 192.168.101.111:6443 --token 2cwxr3.01v9qv5kbt69fzxa --discovery-token-ca-cert-hash sha256:2f939d02abb31a087b4c3f4b1202c4efeaa6f9ee165abb705f8e2b19d41e132c
- 查看集群以及
nodes狀態(tài)
root@k8s-master001 ~]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy {"health":"true"}
[root@k8s-master001 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master001 NotReady master 2h v1.15.3
k8s-node001 NotReady <none> 1h v1.15.3
可以看到集群是健康的,但是node節(jié)點狀態(tài)是notready這是因為我們僅僅創(chuàng)建了集群還沒有安裝網(wǎng)絡插件
二寇漫、安裝必要的插件刊殉、網(wǎng)絡插件
- Install
flannel網(wǎng)絡插件
[root@k8s-master001 k8s]# curl -O https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
[root@k8s-master001 k8s]# cat kube-flannel.yml | grep '"Network"'
"Network": "10.244.0.0/16"
kubectl create -f kube-flannel.yml
配置文件網(wǎng)段和創(chuàng)建集群是的網(wǎng)段一致,此處不需要修改.
- 查看插件啟動狀態(tài)
[root@k8s-master001 ~]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-5c98db65d4-6v8zm 1/1 Running 0 1h
coredns-5c98db65d4-7xdsn 1/1 Running 0 1h
etcd-k8s-master001 1/1 Running 0 1h
kube-apiserver-k8s-master001 1/1 Running 0 1h
kube-controller-manager-k8s-master001 1/1 Running 0 1h
kube-proxy-97jz2 1/1 Running 0 1h
kube-proxy-lftz2 1/1 Running 0 1h
kube-scheduler-k8s-master001 1/1 Running 0 1h
-
kube-proxy更改為ipvs模式mode: ""更改為mode: "ipvs"
kubectl edit cm kube-proxy -n kube-system
- Install
dashboard插件
wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml
kubectl create -f kubernetes-dashboard.yaml
root@k8s-master001 k8s]# kubectl get svc kubernetes-dashboard -n kube-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.111.189.89 <none> 443:32576/TCP 21s
其狀態(tài)一直是ImagePullBackOff
[root@k8s-master001 tmp]# kubectl get pods,svc -n kube-system | grep kubernetes-dashboard
pod/kubernetes-dashboard-7d75c474bb-ljdhp 0/1 ImagePullBackOff 0 14m
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
- 生成
tokendashboard登錄支持Kubeconfig和token兩種認證方式Kubeconfig中也依賴token
kubectl create serviceaccount dashboard-admin -n kube-system
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
- 獲取 Dashboard
token
[root@k8s-master001 tmp]# kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
Name: dashboard-admin-token-hqj4v
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: dashboard-admin
kubernetes.io/service-account.uid: 56931c3b-ce9d-456c-9e12-3597163fff47
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1025 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQv
c2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4taHFqNHYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY
291bnQudWlkIjoiNTY5MzFjM2ItY2U5ZC00NTZjLTllMTItMzU5NzE2M2ZmZjQ3Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.sYIp7MzgFw6jSBRN63GX4y3j9yfyvYnmAw1BN4FsoiU5rdaSDle1lGWwleMGh
Y5lNHTpoQwUXAzl6uQmrhFCQPFsZZEIaPaSWEzHxuwmYO3uiaLcJB5_0wtC_DiKpLx_JV8NQwYmgAlgL2s2HxLeuweSHcMcxwIccA5CHdRPoh0_r6NjHc1yf4s6vzNQUpfNMj3k34_Oe7YmpU6eGFONvxzDigy5kWG4QDE4m3g4ceeYqjydJ_gRMjfu86E_VxGgbeILBK3OQd
GsqK8i5GZz8IziDOd3sYicHqbwDgGXiGZfPuqtu4FbDSKV1lZ8VWK0sRuuww3idCGuG7gzMkB2hw
- Install Helm Client
wget https://get.helm.sh/helm-v2.14.3-linux-amd64.tar.gz
tar -zxf helm-v2.14.3-linux-amd64.tar.gz
cp helm /usr/local/bin/
[root@k8s-master001 linux-amd64]# helm version
Client: &version.Version{SemVer:"v2.14.3", GitCommit:"0e7f3b6637f7af8fcfddb3d2941fcc7cbebb0085", GitTreeState:"clean"}
Error: could not find tiller
- Install Helm server
tiller
helm init --upgrade --tiller-image registry.cn-hangzhou.aliyuncs.com/google_containers/tiller:v2.14.3
[root@k8s-master001 k8s]# kubectl get pod -n kube-system -l app=helm
NAME READY STATUS RESTARTS AGE
tiller-deploy-6867df9fc6-xh6hh 1/1 Running 0 112s
root@k8s-master001 k8s]# helm version
Client: &version.Version{SemVer:"v2.14.3", GitCommit:"0e7f3b6637f7af8fcfddb3d2941fcc7cbebb0085", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.14.3", GitCommit:"0e7f3b6637f7af8fcfddb3d2941fcc7cbebb0085", GitTreeState:"clean"}
-
Tiller增加ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
END
至此最小集群已經(jīng)安裝完成了,這里只安裝了最核心的k8s服務州胳。
參考文獻
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-configuring_yum_and_yum_repositories
https://kubernetes.io/zh/docs/reference/setup-tools/kubeadm/kubeadm
