一、安装概述
安装主要有三种方式:
- MiniKube工具安装,主要用于学习
- 二进制安装,需要配置参数
- Kubeadm安装,以镜像的方式部署
二、部署k8s集群
2.1.环境准备
【软件版本】
软件 | 版本 |
OS | CentOS Linux release 7.5.1804 (Core) |
Dokcer | docker-ce-18.03.1.ce-1.el7.centos.x86_64 |
Kubernetes | 1.14.1 |
etcd | 3.3.10 |
fiannel | v0.11.0 |
Kubeadm | kubeadm-1.14.1-0.x86_64 |
主机名 | 角色 | ip | 软件 |
node-1 | master | 172.19.159.7 | docker,kubelet,etcd,kube-apiserver,kube-controller-manager,kube-scheduler |
node-2 | worker | 172.19.159.8 | docker,kubelet,kube-proxy,flannel |
node-3 | worker | 172.19.159.9 | docker,kubelet,kube-proxy,flannel |
以下操作需要在三台服务器上进行
1.修改三台服务器hostname
hostnamectl set-hostname node-1
hostnamectl set-hostname node-2
hostnamectl set-hostname node-3
2.设置hosts文件
vi /etc/hosts
172.19.159.7 node-1
172.19.159.8 node-2
172.19.159.9 node-3
3.设置SSH无密码登录,并通过ssh-copy-id将公钥拷贝到对端
比如在node-1上进行如下操作
ssh-keygen
ssh-copy-id -i /root/.ssh/id_rsa.pub node-2
ssh-copy-id -i /root/.ssh/id_rsa.pub node-3
4.关闭SELINUX
sed -i 's/enforcing/disabled/g' /etc/selinux/config
systemctl stop firewalld
systemctl disable firewalld
2.2.安装docker环境
三台服务器均需要安装
安装脚本
cat docker_install.sh
#!/bin/bash
installdocker()
{
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum makecache fast
yum -y install docker-ce
}
docker version
if [ $? -eq 127 ];then
echo "we can install docker-ce"
sleep 5
installdocker
docker version
if [ $? -lt 127 ];then
echo "the installation of docker-ce is ok."
rpm -qa | grep docker | xargs rpm -e --nodeps
yum -y install docker-ce-18.03*
else
echo "the installation of docker-ce failed ,please reinstall"
exit -1
fi
else
echo "docker have installed,pleae uninstall old version"
sleep 5
rpm -qa | grep docker | xargs rpm -e --nodeps
docker version
if [ $? -eq 127 ];then
echo "old docker have been uninstalled and you can install docker-ce"
sleep 5
installdocker
docker version
if [ $? -lt 127 ];then
echo "the installation of docker-ce is ok."
rpm -qa | grep docker | xargs rpm -e --nodeps
yum -y install docker-ce-18.03*
else
echo "the installation of docker-ce failed anad please reinstall."
exit -1
fi
else
echo "the old docker uninstalled conpletely and please uninstall again."
exit -1
fi
fi
systemctl start docker && systemctl enable docker && systemctl daemon-reload
docker_version=$(docker version | grep "Version" | awk '{print $2}' | head -n 2 | sed -n '2p')
if [ $? -eq 0 ];then
echo "docker start successfully and the version is ${docker_version}"
fi
# 配置docker加速拉取
echo {\"registry-mirrors\":[\"https://nr630v1c.mirror.aliyuncs.com\"]} > /etc/docker/daemon.json
chmod +x docker_install.sh
bash docker_install.sh
设置cggroup driver类型为systemd
cat /etc/docker/daemon.json
{
"registry-mirrors":["https://nr630v1c.mirror.aliyuncs.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
]
}
2.3.安装kubeadm组件
三台服务器均需要安装
1.设置kubenertes源
cat /etc/yum.repos.d/kubernetes.repo
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
2.安装kubeadm,kubelet,kubectl
yum install kubeadm-1.14.1-0 kubectl-1.14.1-0 kubelet-1.14.1-0 --disableexcludes=kubernetes -y
3.配置网桥
cat /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
sysctl --system加载配置
4.将kubelet加入系统服务
systemctl enable kubelet
注意这里不要使用sysytemctl start kubelet,后面进行集群初始化的时候会自动启动该服务
一定要注意kubelet所使用的cgroup driver要与docker一致,否则kubelet无法启动,前面我们设置了docker的cgroup driver为systemd,下面设置kubelet
cat /etc/default/kubelet
KUBELET_KUBEADM_EXTRA_ARGS=--cgroup-driver=systemd
在文件/etc/systemd/system/multi-user.target.wants/kubelet.service的service模块中添加
EnvironmentFile=-/etc/default/kubelet
2.4.导入kubernetes镜像
首先下载离线镜像包
kubernetes-v1.14.1离线镜像包
导入镜像
为了方便,三台服务器都导入全部kubernetes镜像
for i in $(ls);do docker load -i $i;done
k8s.gcr.io/kube-proxy v1.14.1 20a2d7035165 10 months ago 82.1MB
k8s.gcr.io/kube-apiserver v1.14.1 cfaa4ad74c37 10 months ago 210MB
registry.cn-shanghai.aliyuncs.com/linuxwt/kube-apiserver v1.14.1 cfaa4ad74c37 10 months ago 210MB
k8s.gcr.io/kube-controller-manager v1.14.1 efb3887b411d 10 months ago 158MB
k8s.gcr.io/kube-scheduler v1.14.1 8931473d5bdb 10 months ago 81.6MB
quay.io/coreos/flannel v0.11.0-amd64 ff281650a721 13 months ago 52.6MB
k8s.gcr.io/coredns 1.3.1 eb516548c180 13 months ago 40.3MB
k8s.gcr.io/etcd 3.3.10 2c4adeb21b4f 15 months ago 258MB
k8s.gcr.io/pause 3.1 da86e6ba6ca1 2 years ago 742kB
2.5.集群初始化
初始化
node-1上
执行下面的命令
[root@node-1 ~]# kubeadm init --apiserver-advertise-address 172.19.159.7 --apiserver-bind-port 6443 --kubernetes-version 1.14.1 --pod-network-cidr 10.244.0.0/16
[init] Using Kubernetes version: v1.14.1
[preflight] Running pre-flight checks
[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 18.03.1-ce. Latest validated version: 18.09
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Activating the kubelet service
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [node-1 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 172.19.159.7]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [node-1 localhost] and IPs [172.19.159.7 127.0.0.1 ::1]
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [node-1 localhost] and IPs [172.19.159.7 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 18.002772 seconds
[upload-config] storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.14" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --experimental-upload-certs
[mark-control-plane] Marking the node node-1 as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node node-1 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[bootstrap-token] Using token: fl5itt.m5aidmf451jbgeq6
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 172.19.159.7:6443 --token fl5itt.m5aidmf451jbgeq6 \
--discovery-token-ca-cert-hash sha256:872d799f5a16950e9c9582aa4ed638537ae069a207563ff4d6e50af1c520ef26
上面的命令显示了kubeadm安装过程中的一些重要步骤:下载镜像,生成证书,生成配置文件,配置RBAC授权认证,配置环境变量,安装网络插件指引,添加node指引配置文件
生成kube环境配置文件
node-1上
mkdir /root/.kube
cp -i /etc/kubernetes/admin.conf /root/.kube/config
kubectl get nodes
NAME STATUS ROLES AGE VERSION
node-1 NotReady master 159m v1.14.1
添加node节点
node-2上执行命令
kubeadm join 172.19.159.7:6443 --token fl5itt.m5aidmf451jbgeq6 \
--discovery-token-ca-cert-hash sha256:872d799f5a16950e9c9582aa4ed638537ae069a207563ff4d6e50af1c520ef26
node-3上执行上面的命令
node-1上查看
kubectl get nodes
NAME STATUS ROLES AGE VERSION
node-1 NotReady master 3h33m v1.14.1
node-2 NotReady <none> 5m3s v1.14.1
node-3 NotReady <none> 3m18s v1.14.1
安装网络plugin
kubernetes支持多种类型网络插件,要求网络支持CNI插件即可,CNI是Container Network Interface,要求kubernetes的中pod网络访问方式:
- node与node之间互通
- pod与pod之间互通
- node与pod之间互通
kubernetes支持多种开源的网络CNI插件,常见的有flannel、calico、canal、weave等,flannel是一种overlay的网络模型,通过vxlan隧道方式构建tunnel网络,实现k8s中网络的互联
node-1上
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/62e44c867a2846fefb68bd5f178daf4da3095ccb/Documentation/kube-flannel.yml
podsecuritypolicy.extensions/psp.flannel.unprivileged created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.extensions/kube-flannel-ds-amd64 created
daemonset.extensions/kube-flannel-ds-arm64 created
daemonset.extensions/kube-flannel-ds-arm created
daemonset.extensions/kube-flannel-ds-ppc64le created
daemonset.extensions/kube-flannel-ds-s390x created
通过上述输出可知道,部署flannel 需要RBAC授权,配置configmap和daemonset,其中Daemonset能够适配各种类型的CPU架构,默认安装了多个,一般是adm64即可,可以将上述的url下载编辑,保留kube-flannel-ds-amd64这个daemonset即可,或者将其删除
kubectl get daemonsets -n kube-system
删除不需要的damonsets
kubectl delete daemonsets kube-flannel-ds-arm kube-flannel-ds-arm64 kube-flannel-ds-ppc64le kube-flannel-ds-s390x -n kube-system
kubectl get nodes
NAME STATUS ROLES AGE VERSION
node-1 Ready master 4h28m v1.14.1
node-2 Ready <none> 60m v1.14.1
node-3 Ready <none> 58m v1.14.1
2.6.验证kubernetes组件
验证node状态
kubectl get nodes获取各个节点的状态、角色、运行时长、版本等信息
查看kubernetes服务组件状态
kubectl get componentstatuses
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy {"health":"true"}
查看pod情况
kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-fb8b8dccf-mhkkk 1/1 Running 0 7h17m
coredns-fb8b8dccf-vz65l 1/1 Running 0 7h17m
etcd-node-1 1/1 Running 0 7h16m
kube-apiserver-node-1 1/1 Running 0 7h16m
kube-controller-manager-node-1 1/1 Running 0 7h16m
kube-flannel-ds-amd64-5qxcf 1/1 Running 0 174m
kube-flannel-ds-amd64-sfglq 1/1 Running 0 174m
kube-flannel-ds-amd64-vjkx8 1/1 Running 0 174m
kube-proxy-8gjl7 1/1 Running 0 7h17m
kube-proxy-pt922 1/1 Running 0 3h49m
kube-proxy-zldlm 1/1 Running 0 3h47m
kube-scheduler-node-1 1/1 Running 0 7h16m
2.7.配置kubectl补全命令
安装bash-completion
yum install bash-completion -y
source /usr/share/bash-completion/bash_completion
配置补全
kubectl completion bash >/etc/kubernetes/kubectl.sh
echo "source /etc/kubernetes/kubectl.sh" >>/root/.bashrc
cat /root/.bashrc
# .bashrc
# User specific aliases and functions
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
source /etc/kubernetes/kubectl.sh
source /etc/kubernetes/kubectl.sh
使用命令进行补全校验
kubectl get co TAB
[root@node-1 ~]# kubectl get co
componentstatuses configmaps controllerrevisions.apps
其实kubernetes除了补全方式还支持简写
比如
查看节点kubectl get no
查看组件状态kubectl get cs
2.8.补充
kubernetes集群搭建好后发现不知道该怎么去停止,只能用下面的本办法了
先停掉每一个节点的kubelet,否则停掉的容器会重启
systemctl stop kubelet
docker stop $(docker ps -a -q)