前言
本文将带领大家一起, 参照着Kubernetes官方文档, 对其安装部署。
前期准备
准备服务器,若没有服务器,也没关系,本地装个也可以,参考前期文章如何搭建本地服务器
服务器要求:CPU >= 2,内存 >= 2G
修改hostname
# 修改hostname(方便识别主从服务器)
vi /etc/hostname
# 查看当前hostname
cat /etc/hostname
# 将本机IP指向hostname
vi /etc/hosts
# 查看
cat /etc/hosts | grep k8s
# 从服务器也按照上面的方法进行
配置防火墙
本地测试服务器,图方便,直接关掉防火墙,生产环境只能开放指定的端口,具体可参考官网
禁用SELinux
# 修改/etc/selinux/config, 设置SELINUX=disabled. 如下图
vi /etc/selinux/config
# 查看SELinux状态
sestatus
禁用交换分区
1、 方法一:修改配置
# 编辑/etc/fstab, 将swap注释掉. 重启机器.
vi /etc/fstab
#/dev/mapper/cl-swap swap swap defaults 0 0
1、 命令关掉,重启后会失效
# 关掉
swapoff -a
# 查看交换分区状态
free
若没有关掉,则会报,如下图
[ERROR Swap]: running with swap on is not supported. Please disable swap
安装Docker
以下命令是我精简出来的,按照步骤执行就OK,Docker官方安装文档
# 查看系统内核版本,docker要求大于3.10
uname -r
# 安装一些必要的系统工具
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
# 添加软件源信息(方便docker拉取镜像的时候速度快点)
sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 更新 yum 缓存
sudo yum makecache fast
# 下载高版本rpm
wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm
# 安装containerd.io(我的是Centos 8,但containerd版本有点低,导致无法安装docker高版本)
yum install containerd.io-1.2.6-3.3.el7.x86_64.rpm
# 查看所有仓库中所有docker版本,并选择特定版本安装
yum list docker-ce --showduplicates | sort -r
# 指定版本,k8s暂不支持Docker最新版19.x
sudo yum -y install docker-ce-18.09.9-3.el7
修改Docker 镜像源
# 编辑daemon.json
vi /etc/docker/daemon.json
{
"registry-mirrors": ["https://cr.console.aliyun.com"]
}
#// 重启docker镜像服务
systemctl restart docker.service
# 查看docker信息
docker info
# docker启动命令
service docker start 或 systemctl start docker
# 设置开机启动docker
systemctl enable docker
其他镜像源
- hub-mirror.c.163.com
- registry.docker-cn.com
- hub-mirror.c.163.com
- docker.mirrors.ustc.edu.cn
- pee6w651.mirror.aliyuncs.com
安装Kubernetes
修改源
官方文档中的地址不可用, 修改为阿里云镜像
# 创建kubernetes.repo
vi /etc/yum.repos.d/kubernetes.repo
# kubernetes.repo添加如下内容
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
exclude=kube*
终于进入正题,安装K8S
# 安装kubelet、kubeadm、kubectl
yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
# 设置开机启动
systemctl enable kubelet && systemctl start kubelet
修改网络配置
# 创建k8s.conf
vi /etc/sysctl.d/k8s.conf
# k8s.conf 添加如下内容
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
初始化Master
# 生成 初始化文件 kubeadm-init.yaml
kubeadm config print init-defaults > kubeadm-init.yaml
修改kubeadm-init.yaml文件两处内容
- 将advertiseAddress: 1.2.3.4修改为本机IP,如我的 192.168.1.101
- 将imageRepository: k8s.gcr.io修改为imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
修改后文件如下:
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 192.168.1.101
bindPort: 6443
nodeRegistration:
criSocket: /var/run/dockershim.sock
name: k8s-master
taints:
- effect: NoSchedule
key: node-role.kubernetes.io/master
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.cn-hangzhou.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.18.0
networking:
dnsDomain: cluster.local
serviceSubnet: 10.96.0.0/12
scheduler: {}
执行初始化
# 拉取镜像
kubeadm config images pull --config kubeadm-init.yaml
# 执行初始化
kubeadm init --config kubeadm-init.yaml
# 执行成功后,以下内容需要保存,后续worker节点加入需要用到
kubeadm join 192.168.1.101:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:7a1832829379797b35df8c2cd19513760a1168e60f28b1073c278208e391eb89
配置环境, 否则无法执行kubectl命令
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
需配置上面内容,否则会报如下错误
[root@k8s-master k8s]# kubectl get node
The connection to the server localhost:8080 was refused - did you specify the right host or port?
配置网络
wget https://docs.projectcalico.org/v3.8/manifests/calico.yaml
将calico.yaml中的192.168.0.0/16 修改为 10.96.0.0/12(建议搜索192.168.0.0/16,因为内容好多), 10.96.0.0/12 是 kubeadm-init.yaml中配置的网络集群
查看网络状态
kubectl get node
安装Dashboard
# 下载配置文件
# raw.githubusercontent.com 国内网络可能访问不了
# 访问不了的小伙伴,可以直接到 github复制 https://github.com/kubernetes/dashboard/blob/master/aio/deploy/recommended.yaml
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta4/aio/deploy/recommended.yaml
# 执行初始化,部署
kubectl apply -f recommended.yaml
# 部署完毕后, 查看pods状态
kubectl get pods --all-namespaces | grep dashboard
两个kubernetes-dashboard 都需是Running状态,才可执行下面的步骤
创建用户
创建文件dashboard-adminuser.yaml, 用于创建用户
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
# 执行命令
kubectl apply -f dashboard-adminuser.yaml
生成证书
# 生成kubecfg.crt
grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
# 生成kubecfg.p12,用在客户端
grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
# 该步骤需要输入密码
openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
将生成的kubecfg.p12 导入浏览器中(这个就不详解了,可以百度),不导入的话,则无法访问界面
登录地址如下(ip替换自己服务器的即可): https://192.168.1.101:6443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/#/login
打开的时候,会提示选择证书,如下图:
选择Token方式登录
获取Token
# 获取Token
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
复制该Token到登录界面, 点击登录即可,如下图:
添加节点
重新配置一个和master节点一致的机器:重复操作 前期准备 到 安装Kubernetes(不用初始化)
# 加入集群
kubeadm join 192.168.1.101:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:7a1832829379797b35df8c2cd19513760a1168e60f28b1073c278208e391eb89
重新生成Token
创建master节点生成的token,只有24小时有效期
# 若token过期,加入则会报如下错误
[root@k8s-worker k8s]$ kubeadm join 192.168.1.101:6443 --token abcdef.0123456789abcdef \
> --discovery-token-ca-cert-hash sha256:7a1832829379797b35df8c2cd19513760a1168e60f28b1073c278208e391eb89
W0718 05:43:01.391592 5847 join.go:346] [preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set.
[preflight] Running pre-flight checks
[WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/
[WARNING Hostname]: hostname "k8s-worker" could not be reached
[WARNING Hostname]: hostname "k8s-worker": lookup k8s-worker on 10.8.14.20:53: server misbehaving
error execution phase preflight: couldn't validate the identity of the API Server: could not find a JWS signature in the cluster-info ConfigMap for token ID "abcdef"
To see the stack trace of this error execute with --v=5 or higher
重新生成token
[root@k8s-master ~]$
==
W0718 05:40:53.293650 24688 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
2if9aq.i0bh2vkzps6xk884
[root@k8s-master ~]$ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | \
> openssl dgst -sha256 -hex | sed 's/^.* //'
36ff3014e2aaa92c9dbaa61a21c7f62a9ffa0c5128213019df9db1af844cffde
第一个替换位置: 2if9aq.i0bh2vkzps6xk884 第二个替换位置: 36ff3014e2aaa92c9dbaa61a21c7f62a9ffa0c5128213019df9db1af844cffde
最后结果如下
kubeadm join 192.168.1.111:6443 --token 2if9aq.i0bh2vkzps6xk884 \
--discovery-token-ca-cert-hash sha256:36ff3014e2aaa92c9dbaa61a21c7f62a9ffa0c5128213019df9db1af844cffde