Kubernetes是Goole開源的一個(gè)容器編排引擎,它支持自動(dòng)化部署、大規(guī)某箍觯可伸縮、應(yīng)用容器化管理 —— 百度百科舅踪。
接觸K8s也有半年多了纽甘,也基于阿里云平臺(tái)搭建了包含多級(jí)服務(wù)、目前運(yùn)行較為穩(wěn)定的K8s集群(感興趣的可參考 [k8s云集群混搭模式抽碌,可能幫你節(jié)省50%以上的服務(wù)成本]悍赢, [k8s云集群混搭模式落地分享],但一直沒來(lái)得及對(duì)其進(jìn)行系統(tǒng)的學(xué)習(xí),本系列文章還像以前Docker系列一樣左权,以筆記的形式進(jìn)行記錄與分享皮胡,會(huì)包括理論與實(shí)踐,感興趣的同學(xué)可以關(guān)注赏迟,一起探索下目前較為流行的容器化及服務(wù)編排解決方案屡贺。
工欲善其事,必先利其器锌杀,本文先介紹如何在本地自行搭建一套k8s集群甩栈,并且采用我們前面介紹過的Ansible來(lái)提高效率(參考 [Ansible簡(jiǎn)明教程]
本文所涉及的所有配置文件可在這里找到 github
一. 準(zhǔn)備服務(wù)器節(jié)點(diǎn)
如果還沒有服務(wù)器,可以參考 [ubuntu18.04上搭建KVM虛擬機(jī)環(huán)境超完整過程]創(chuàng)建虛擬服務(wù)器糕再。
服務(wù)器節(jié)點(diǎn)IP(hostname):
- 192.168.40.111 (kmaster)
- 192.168.40.112 (knode1)
- 192.168.40.113 (knode2)
- 192.168.40.114 (knode3)
操作系統(tǒng)版本:
-
cat /etc/redhat-release: CentOS Linux release 7.6.1810 (Core) -
uname -a: 3.10.0-957.el7.x86_64
二. 配置Ansible
如果還沒有Ansible環(huán)境量没,可以參考 [Ansible簡(jiǎn)明教程]搭建。
1.在Ansible服務(wù)器上的/etc/hosts文件中添加k8s服務(wù)器節(jié)點(diǎn)信息(參考 hosts)
192.168.40.111 kmaster
192.168.40.112 knode1
192.168.40.113 knode2
192.168.40.114 knode3
2.在Ansible服務(wù)器上的/etc/ansible/hosts文件中添加k8s服務(wù)器節(jié)點(diǎn)(參考 ansible_hosts)
[k8s-all]
kmaster
knode1
knode2
knode3
[k8s-master]
kmaster
[k8s-nodes]
knode1
knode2
knode3
三. 修改k8s集群各節(jié)點(diǎn)/etc/hosts(非必須)
修改所有主機(jī)/etc/hosts文件亿鲜,添加IP/主機(jī)名映射允蜈,方便通過主機(jī)名ssh訪問
1.創(chuàng)建playbook文件(參考 set_hosts_playbook.yml)
vim set_hosts_playbook.yml
---
- hosts: k8s-all
remote_user: root
tasks:
- name: backup /etc/hosts
shell: mv /etc/hosts /etc/hosts_bak
- name: copy local hosts file to remote
copy: src=/etc/hosts dest=/etc/ owner=root group=root mode=0644
2.執(zhí)行ansible-playbook
ansible-playbook set_hosts_playbook.yml
四. 安裝Docker
在所有主機(jī)上安裝Docker
1.創(chuàng)建playbook文件(參考 install_docker_playbook.yml)
vim install_docker_playbook.yml
- hosts: k8s-all
remote_user: root
vars:
docker_version: 18.09.2
tasks:
- name: install dependencies
#shell: yum install -y yum-utils device-mapper-persistent-data lvm2
yum: name={{item}} state=present
with_items:
- yum-utils
- device-mapper-persistent-data
- lvm2
- name: config yum repo
shell: yum-config-manager --add-repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
- name: install docker
yum: name=docker-ce-{{docker_version}} state=present
- name: start docker
shell: systemctl enable docker && systemctl start docker
2.執(zhí)行ansible-playbook
ansible-playbook install_docker_playbook.yml
五. 部署k8s master
1.開始部署之前,需要做一些初始化處理:關(guān)閉防火墻蒿柳、關(guān)閉selinux饶套、禁用swap、配置k8s阿里云yum源等垒探,所有操作放在腳本 pre-setup.sh 中妓蛮,并在2中playbook中通過script模塊執(zhí)行
2.創(chuàng)建playbook文件 deploy_master_playbook.yml,只針對(duì)master節(jié)點(diǎn)圾叼,安裝kubectl蛤克,kubeadm,kubelet夷蚊,以及flannel(將kube-flannel.yml文件里鏡像地址的quay.io改為quay-mirror.qiniu.com避免超時(shí)构挤,參考 kube-flannel.yml)
vim deploy_master_playbook.yml
- hosts: k8s-master
remote_user: root:q
vars:
kube_version: 1.16.0-0
k8s_version: v1.16.0
k8s_master: 192.168.40.111
tasks:
- name: prepare env
script: ./pre-setup.sh
- name: install kubectl,kubeadm,kubelet
yum: name={{item}} state=present
with_items:
- kubectl-{{kube_version}}
- kubeadm-{{kube_version}}
- kubelet-{{kube_version}}
- name: init k8s
shell: kubeadm init --image-repository registry.aliyuncs.com/google_containers --kubernetes-version {{k8s_version}} --apiserver-advertise-address {{k8s_master}} --pod-network-cidr=10.244.0.0/16 --token-ttl 0
- name: config kube
shell: mkdir -p $HOME/.kube && cp -i /etc/kubernetes/admin.conf $HOME/.kube/config && chown $(id -u):$(id -g) $HOME/.kube/config
- name: copy flannel yaml file
copy: src=./kube-flannel.yml dest=/tmp/ owner=root group=root mode=0644
- name: install flannel
shell: kubectl apply -f /tmp/kube-flannel.yml
- name: get join command
shell: kubeadm token create --print-join-command
register: join_command
- name: show join command
debug: var=join_command verbosity=0
3.執(zhí)行ansible-playbook
ansible-playbook deploy_master_playbook.yml
4.上述命令執(zhí)行完成會(huì)輸出節(jié)點(diǎn)加入k8s集群的命令,如下圖惕鼓。記下該命令筋现,后面部署node時(shí)會(huì)用到
六. 部署k8s node
1.同master一樣,開始部署之前箱歧,需要做一些初始化處理:關(guān)閉防火墻矾飞、關(guān)閉selinux、禁用swap呀邢、配置k8s阿里云yum源等洒沦,所有操作放在腳本 pre-setup.sh 中,并在2中playbook中通過script模塊執(zhí)行
2.創(chuàng)建playbook文件 deploy_nodes_playbook.yml价淌,針對(duì)除master外的其它集群節(jié)點(diǎn)申眼,安裝kubeadm瞒津,kubelet,并將節(jié)點(diǎn)加入到k8s集群中豺型,使用的是前面部署master時(shí)輸出的加入集群命令
vim deploy_nodes_playbook.yml
- hosts: k8s-nodes
remote_user: root
vars:
kube_version: 1.16.0-0
tasks:
- name: prepare env
script: ./pre-setup.sh
- name: install kubeadm,kubelet
yum: name={{item}} state=present
with_items:
- kubeadm-{{kube_version}}
- kubelet-{{kube_version}}
- name: start kubelt
shell: systemctl enable kubelet && systemctl start kubelet
- name: join cluster
shell: kubeadm join 192.168.40.111:6443 --token zgx3ov.zlq3jh12atw1zh8r --discovery-token-ca-cert-hash sha256:60b7c62687974ec5803e0b69cfc7ccc2c4a8236e59c8e8b8a67f726358863fa7
3.執(zhí)行ansible-playbook
ansible-playbook deploy_nodes_playbook.yml
4.稍等片刻仲智,即可在master節(jié)點(diǎn)上通過kubectl get nodes看到加入到集群中的節(jié)點(diǎn),并且status為Ready狀態(tài)姻氨,如下
[root@kmaster ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
kmaster Ready master 37m v1.16.0
knode1 Ready <none> 7m1s v1.16.0
knode2 Ready <none> 7m1s v1.16.0
knode3 Ready <none> 4m12s v1.16.0
至此,k8s集群基本部署完成剪验。接下來(lái)可安裝Ingress與Dashboard肴焊。
七. 安裝Ingress
Ingress為集群內(nèi)服務(wù)提供外網(wǎng)訪問,包括基于Nginx與Traefik兩個(gè)版本功戚,這里使用比較熟悉的Nginx版本娶眷。安裝Ingress的操作在master節(jié)點(diǎn)進(jìn)行(因?yàn)榍懊嬖趍aster節(jié)點(diǎn)安裝并配置了kubectl,也可在其它安裝并配置好了kubectl的節(jié)點(diǎn)進(jìn)行)
1.下載yaml文件(此目錄已包含 nginx-ingress.yaml啸臀,并修改了鏡像地址届宠,可直接進(jìn)入第3步)
wget -O nginx-ingress.yaml https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/baremetal/deploy.yaml
2.將里面的quay.io修改為quay-mirror.qiniu.com,避免鏡像拉取超時(shí)乘粒。同時(shí)在nginx-ingress-controller的Deployment上添加hostNetwork為true及nginx-ingress的標(biāo)簽豌注,以使用宿主機(jī)網(wǎng)絡(luò)與控制Ingress部署的節(jié)點(diǎn)
vim nginx-ingress.yaml
:s/quay.io/quay-mirror.qiniu.com/g
vim nginx-ingress.yaml
spec:
hostNetwork: true
nodeSelector:
nginx-ingress: "true"
3.部署Ingress
首先在knode1節(jié)點(diǎn)上打標(biāo)簽nginx-ingress=true,控制Ingress部署到knode1上灯萍,保持IP固定轧铁。
[root@kmaster k8s-deploy]# kubectl label node knode1 nginx-ingress=true
node/knode1 labeled
然后完成nginx-ingress的部署
kubectl apply -f nginx-ingress.yaml
4.部署完成,稍等片刻等Pod創(chuàng)建完成旦棉,可通過如下命令查看ingress相關(guān)Pod情況
[root@kmaster k8s-deploy]# kubectl get pods -n ingress-nginx -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ingress-nginx-admission-create-drpg5 0/1 Completed 0 79m 10.244.2.2 knode1 <none> <none>
ingress-nginx-admission-patch-db2rt 0/1 Completed 1 79m 10.244.3.2 knode3 <none> <none>
ingress-nginx-controller-575cffb49c-4xm55 1/1 Running 0 79m 192.168.40.112 knode1 <none> <none>
八. 安裝Kubernetes Dashboard
1.下載yaml文件(此目錄已包含 kubernetes-dashboard.yaml 文件齿风,可直接進(jìn)入第3步)
wget -O kubernetes-dashboard.yaml https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta5/aio/deploy/recommended.yaml
2.修改kubernetes-dashboard.yaml
將Service type改為NodePort,使得可通過IP訪問Dashboard绑洛。注釋掉默認(rèn)的Secret(默認(rèn)的secret權(quán)限很有限救斑,看不到多少數(shù)據(jù))
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30443
selector:
k8s-app: kubernetes-dashboard
3.部署Dashboard,并創(chuàng)建綁定cluster-admin角色的ServiceAccount —— admin-user (參考 auth.yaml)
kubectl apply -f kubernetes-dashboard.yaml
kubectl apply -f kubernetes-dashboard-auth.yaml
4.訪問Dashboard
訪問 https://集群任意節(jié)點(diǎn)IP:30443真屯,打開Dashboard登錄頁(yè)面脸候,執(zhí)行如下命令獲取登錄token
kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
使用token完成登錄,如圖
九. 解決證書無(wú)效問題
安裝完后讨跟,默認(rèn)的證書可能無(wú)效纪他,在Chrome瀏覽中無(wú)法打開Dashboard,可通過重新生成證書解決晾匠。
1.創(chuàng)建自定義證書
[root@kmaster ~]# cd /etc/kubernetes/pki/
#生成私鑰
[root@kmaster pki]# openssl genrsa -out dashboard.key 2048
#生成證書
[root@kmaster pki]# openssl req -new -key dashboard.key -out dashboard.csr -subj "/O=JBST/CN=kubernetes-dashboard"
#使用集群的CA來(lái)簽署證書
[root@kmaster pki]# openssl x509 -req -in dashboard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out dashboard.crt -days 3650
#查看自創(chuàng)證書
[root@kmaster pki]# openssl x509 -in dashboard.crt -noout -text
2.注釋 kubernetes-dashboard.yaml 中默認(rèn)的Secret茶袒,
#---
#
#apiVersion: v1
#kind: Secret
#metadata:
# labels:
# k8s-app: kubernetes-dashboard
# name: kubernetes-dashboard-certs
# namespace: kubernetes-dashboard
#type: Opaque
3.重新部署Dashboard,并通過自定義證書創(chuàng)建新的Secret
[root@kmaster k8s-deploy]# kubectl delete -f kubernetes-dashboard.yaml
[root@kmaster k8s-deploy]# kubectl apply -f kubernetes-dashboard.yaml
[root@kmaster k8s-deploy]# kubectl create secret generic kubernetes-dashboard-certs --from-file=dashboard.crt=/etc/kubernetes/pki/dashboard.crt --from-file=dashboard.key=/etc/kubernetes/pki/dashboard.key -n kubernetes-dashboard
十. 在本地(win10)管理k8s集群
1.下載kubectl windows版本: https://storage.googleapis.com/kubernetes-release/release/v1.16.0/bin/windows/amd64/kubectl.exe
2.將kubectl.exe文件所在目錄加入系統(tǒng)環(huán)境變量的Path中
3.將master節(jié)點(diǎn)上 /etc/kubernetes/admin.conf 的內(nèi)容拷貝到本地用戶目錄的 .kube/config 文件中凉馆,如 C:\Users\Administrator\.kube\config
4.驗(yàn)證
C:\Users\Administrator>kubectl get nodes
NAME STATUS ROLES AGE VERSION
kmaster Ready master 4d19h v1.16.0
knode1 Ready <none> 4d19h v1.16.0
knode2 Ready <none> 4d19h v1.16.0
knode3 Ready <none> 4d19h v1.16.0
本文所涉及的所有配置文件可在這里找到 github
作者:空山新雨的技術(shù)空間
鏈接:https://www.imooc.com/article/303926
