準備工作
- 準備四臺機器,基本信息如下:
IP | hostname | Role | OS | Memery |
---|---|---|---|---|
192.168.242.136 | k8smaster | Kubernetes master 節(jié)點 | CentOS 7.2 | 3G |
192.168.242.137 | k8snode1 | Kubernetes node 節(jié)點 | CentOS 7.2 | 2G |
192.168.242.138 | k8snode2 | Kubernetes node 節(jié)點 | CentOS 7.2 | 2G |
192.168.242.139 | k8snode3 | Kubernetes node 節(jié)點 | CentOS 7.2 | 2G |
- 設(shè)置master節(jié)點到node節(jié)點的免密登錄萝挤,具體方法請參考這里
- 每臺機器【/etc/hosts】文件需包含:
192.168.242.136 k8smaster
192.168.242.137 k8snode1
192.168.242.138 k8snode2
192.168.242.139 k8snode3
CentOS修改機器名參考這里 - 每臺機器預(yù)裝【docker 17.03.2-ce】疙赠,安裝步驟參考這里
- 關(guān)閉所有機器防火墻
systemctl stop firewalld.service
systemctl disable firewalld.service
- 所有機器關(guān)閉selinux退盯,使容器能夠訪問到宿主機文件系統(tǒng)
vim /etc/selinux/config
將【SELINUX】設(shè)置為【disabled】
臨時關(guān)閉selinux
setenforce 0
- 配置系統(tǒng)路由參數(shù),防止kubeadm報路由警告
在【/etc/sysctl.d/】目錄下新建一個Kubernetes的配置文件【kubernetes.conf】,并寫入如下內(nèi)容:
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
運行如下命令使配置生效
sysctl --system
【注意】我這里是新增了一個配置文件榕堰,而不是直接寫到文件【/etc/sysctl.conf】中,所以生效配置的命令參數(shù)是【--system】嫌套,如果是直接寫到文件【/etc/sysctl.conf】中逆屡,那么生效命令的參數(shù)是【-p】。
- 關(guān)閉虛擬內(nèi)存
修改配置文件【/etc/fstab】
vim /etc/fstab
??注釋掉swap那一行
??然后通過命令臨時關(guān)閉虛擬內(nèi)存
swapoff -a
??如果不關(guān)閉swap踱讨,就會在kubeadm初始化Kubernetes的時候報錯
[ERROR Swap]: running with swap on is not supported. Please disable swap
- 準備鏡像
我是參考的這篇博客進行搭建的魏蔗,所以我這里的鏡像都是從該博客提供的地址下載的,將鏡像壓縮包上傳到各節(jié)點痹筛。
使用解壓命令解壓
tar -jxvf k8s_images.tar.bz2
然后導(dǎo)入鏡像
docker load -i /usr/local/k8s_images/docker_images/etcd-amd64_v3.1.10.tar
docker load -i /usr/local/k8s_images/docker_images/flannel:v0.9.1-amd64.tar
docker load -i /usr/local/k8s_images/docker_images/k8s-dns-dnsmasq-nanny-amd64_v1.14.7.tar
docker load -i /usr/local/k8s_images/docker_images/k8s-dns-kube-dns-amd64_1.14.7.tar
docker load -i /usr/local/k8s_images/docker_images/k8s-dns-sidecar-amd64_1.14.7.tar
docker load -i /usr/local/k8s_images/docker_images/kube-apiserver-amd64_v1.9.0.tar
docker load -i /usr/local/k8s_images/docker_images/kube-controller-manager-amd64_v1.9.0.tar
docker load -i /usr/local/k8s_images/docker_images/kube-proxy-amd64_v1.9.0.tar
docker load -i /usr/local/k8s_images/docker_images/kube-scheduler-amd64_v1.9.0.tar
docker load -i /usr/local/k8s_images/docker_images/pause-amd64_3.0.tar
docker load -i /usr/local/k8s_images/kubernetes-dashboard_v1.8.1.tar
路徑請按照鏡像解壓路徑填寫莺治,全部導(dǎo)入成功后通過命令【docker images】可查看到導(dǎo)入成功的鏡像。
到這里帚稠,前期的準備工作就全部完成了谣旁,下面就要開始安裝了。
搭建Kubernetes集群
- 在所有節(jié)點上部署socat滋早、kubernetes-cni榄审、kubelet、kubectl杆麸、kubeadm搁进。
rpm -ivh /usr/local/k8s_images/socat-1.7.3.2-2.el7.x86_64.rpm
rpm -ivh /usr/local/k8s_images/kubernetes-cni-0.6.0-0.x86_64.rpm /usr/local/k8s_images/kubelet-1.9.9-9.x86_64.rpm
rpm -ivh /usr/local/k8s_images/kubectl-1.9.0-0.x86_64.rpm
rpm -ivh /usr/local/k8s_images/kubeadm-1.9.0-0.x86_64.rpm
??接著修改kubelet的配置文件
vim /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
??kubelet的【cgroup-driver】需要和docker的保持一致,通過命令【docker info】可以查看docker的【Cgroup Driver】屬性值昔头。
??這里可以看到docker的【Cgroup Driver】是【cgroupfs】饼问,所以這里需要將kubelet的【cgroup-driver】也修改為【cgroupfs】。
??修改完成后重載配置文件
systemctl daemon-reload
設(shè)置kubelet開機啟動
systemctl enable kubelet
- 配置master節(jié)點
2.1 初始化Kubernetes
kubeadm init --kubernetes-version=v1.9.0 --pod-network-cidr=10.244.0.0/16
kubernetes默認支持多重網(wǎng)絡(luò)插件如flannel揭斧、weave莱革、calico,這里使用flanne未蝌,就必須要設(shè)置【--pod-network-cidr】參數(shù)驮吱,10.244.0.0/16是kube-flannel.yml里面配置的默認網(wǎng)段,這里的【--pod-network-cidr】參數(shù)要和【kube-flannel.yml】文件中的【Network】參數(shù)對應(yīng)萧吠。
初始化輸入如下:
[root@k8smaster ~]# kubeadm init --kubernetes-version=v1.9.0 --pod-network-cidr=10.244.0.0/16
[init] Using Kubernetes version: v1.9.0
[init] Using Authorization modes: [Node RBAC]
[preflight] Running pre-flight checks.
[WARNING FileExisting-crictl]: crictl not found in system path
[preflight] Starting the kubelet service
[certificates] Generated ca certificate and key.
[certificates] Generated apiserver certificate and key.
[certificates] apiserver serving cert is signed for DNS names [k8smaster kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.242.136]
[certificates] Generated apiserver-kubelet-client certificate and key.
[certificates] Generated sa key and public key.
[certificates] Generated front-proxy-ca certificate and key.
[certificates] Generated front-proxy-client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "scheduler.conf"
[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml"
[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"
[init] Waiting for the kubelet to boot up the control plane as Static Pods from directory "/etc/kubernetes/manifests".
[init] This might take a minute or longer if the control plane images have to be pulled.
[apiclient] All control plane components are healthy after 44.002305 seconds
[uploadconfig] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[markmaster] Will mark node k8smaster as master by adding a label and a taint
[markmaster] Master k8smaster tainted and labelled with key/value: node-role.kubernetes.io/master=""
[bootstraptoken] Using token: abb43a.62186b817d71bcd2
[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstraptoken] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstraptoken] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: kube-dns
[addons] Applied essential addon: kube-proxy
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join --token abb43a.62186b817d71bcd2 192.168.242.136:6443 --discovery-token-ca-cert-hash sha256:6a7625aa2928085fde84cfd918398408771dfe6af5c88c73b2d47527a00a8dad
將【 kubeadm join --token xxxx】這段記下來左冬,加入node節(jié)點需要用到這個令牌,如果忘記了可以使用如下命令查看
kubeadm token list
令牌的時效性是24個小時纸型,如果過期了可以使用如下命令創(chuàng)建
kubeadm token create
2.2 配置環(huán)境變量
此時root用戶還不能使用kubelet控制集群拇砰,需要按照以下方法配置環(huán)境變量
將信息寫入bash_profile文件
echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile
運行命令立即生效
source ~/.bash_profile
查看版本測試下
kubectl version
2.3 安裝flannel
直接使用離線包里面的【kube-flannel.yml】
kubectl create -f /usr/local/k8s_images/kube-flannel.yml
- 配置node節(jié)點
使用配置master節(jié)點初始化Kubernetes生成的token將3個node節(jié)點加入master梅忌,參見2.1,分別在每個node節(jié)點上運行如下命令:
kubeadm join --token abb43a.62186b817d71bcd2 192.168.242.136:6443 --discovery-token-ca-cert-hash sha256:6a7625aa2928085fde84cfd918398408771dfe6af5c88c73b2d47527a00a8dad
全部加入后就可以到master節(jié)點上通過如下命令查看是否加入成功
kubectl get nodes
kubernetes會在每個node節(jié)點創(chuàng)建flannel和kube-proxy的pod除破,通過如下命令查看pods
kubectl get pods --all-namespaces
查看集群信息
kubectl cluster-info
搭建dashboard
在master節(jié)點上牧氮,直接使用離線包里面的【kubernetes-dashboard.yaml】來創(chuàng)建
kubectl create -f /usr/local/k8s_images/kubernetes-dashboard.yaml
接著設(shè)置驗證方式,默認驗證方式有kubeconfig和token瑰枫,這里使用basicauth的方式進行apiserver的驗證踱葛。
創(chuàng)建【/etc/kubernetes/pki/basic_auth_file】用于存放用戶名、密碼光坝、用戶ID尸诽。
admin,admin,2
編輯【/etc/kubernetes/manifests/kube-apiserver.yaml】文件,添加basic_auth驗證
vim /etc/kubernetes/manifests/kube-apiserver.yaml
添加一行
- --basic_auth_file=/etc/kubernetes/pki/basic_auth_file
重啟kubelet
systemctl restart kubelet
更新kube-apiserver容器
kubectl apply -f /etc/kubernetes/manifests/kube-apiserver.yaml
??接下來給admin用戶授權(quán)盯另,k8s1.6后版本都采用RBAC授權(quán)模型性含,默認cluster-admin是擁有全部權(quán)限的,將admin和cluster-admin bind這樣admin就有cluster-admin的權(quán)限鸳惯。
先查看cluster-admin
kubectl get clusterrole/cluster-admin -o yaml
將admin和cluster-admin綁定
kubectl create clusterrolebinding login-on-dashboard-with-cluster-admin --clusterrole=cluster-admin --user=admin
然后查看一下
kubectl get clusterrolebinding/login-on-dashboard-with-cluster-admin -o yaml
現(xiàn)在可以登錄試試商蕴,在瀏覽器中輸入地址【https://192.168.242.136:32666】,這里需要用Firefox芝发,Chrome由于安全機制訪問不了绪商。
通過Firefox可以看到如下界面
選擇【Basic】認證方式,輸入【/etc/kubernetes/pki/basic_auth_file】文件中配置的用戶名和密碼登錄后德。
登錄成功可以看到如下界面
至此部宿,部署全部完成。