二進位制安裝 kubernetes
kubernetes 二進位制安裝部署手冊
部署前準備
1) 系統優化
所有機器.
關閉防火牆和selinux
# setenforce 0
# sed -i "s#SELINUX=enforcing#SELINUX=disabled#g" /etc/selinux/config
# systemctl stop firewalld && systemctl disable firewalld
配置阿里雲映象源
mkdir -p /etc/yum.repos.d/bak mv -t /etc/yum.repos.d/bak/ /etc/yum.repos.d/* curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo yum -y remove epel-re* yum clean all yum -y install epel-re*
配置ntp時間對時
yum -y install ntpdate
/usr/sbin/ntpdate ntp7.aliyun.com > /dev/null 2>&1
(crontab -l; echo "00 23 * * * /usr/sbin/ntpdate ntp7.aliyun.com > /dev/null 2>&1" ) | crontab
2,檢查核心版本,檢視是否高於 3.8(Docker 需要)
# uname -
3,安裝一些工具
yum install wget net-tools telnet tree nmap sysstat lrzsz dos2unix buind-utils -y
2) 安裝DNS服務
安裝 bind9 服務,在 11 機器上
[root@zsf7-11 ~]# yum -y install bind9
[root@zsf7-11 ~]# vim /etc/named.conf
listen-on port 53 { 10.4.7.11; };
allow-query { any; }; //允許那些客戶端來請求
forwarders { 10.4.7.254; }; //上級 DNS 地址
recursion yes; //當前 DNS採用遞迴演算法提供服務,預設迭代和遞迴
dnssec-enable no;
dnssec-validation no;
檢查 DNS 配置檔案語法是否正確:
named-checkconf
配置區域檔案:
[root@zsf7-11 ~]# vim /etc/named.rfc1912.zones
//主機域
zone "host.com" IN {
type master;
file "host.com.zone";
allow-update { 10.4.7.11; };
};
zone "zsf.com" IN {
type master;
file "zsf.com.zone";
allow-update { 10.4.7.11; };
};
配置主機域的區域檔案
[root@zsf7-11 ~]# vim /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.host.com. dnsadmin.host.com. (
2020073001 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.host.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
zsf7-11 A 10.4.7.11
zsf7-12 A 10.4.7.12
zsf7-21 A 10.4.7.21
zsf7-22 A 10.4.7.22
zsf7-200 A 10.4.7.200
[root@zsf7-11 ~]# /var/named/zsf.com.zone
$ORIGIN zsf.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.zsf.com. dnsadmin.zsf.com. (
2020073001 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.zsf.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
啟動
systemctl start named && systemctl enable named
檢查
dig -t A 主機名 @DNS 伺服器地址 +short
更改所有機器的 DNS 解析地址
vim /etc/sysconfig/network-scripts/ifcfg-ens33
systemctl restart network
新增短域名解析
vim /etc/resolv.conf
search host.com
3) 安裝harbor,docker倉庫
在github 上面下載harbor 安裝包,我們這邊安裝的是2.0.0 版本
[root@zsf7-200 opt]# mkdir src
[root@zsf7-200 opt]# cd src/
[root@zsf7-200 src]# tar xf harbor-offline-installer-v2.0.0.tgz -C /opt/
[root@zsf7-200 src]# cd /opt/
[root@zsf7-200 opt]# ls
certs containerd harbor src
[root@zsf7-200 opt]# mv harbor/ harbor-2.0.0
[root@zsf7-200 opt]# ln -s harbor-2.0.0/ harbor
[root@zsf7-200 opt]# cd harbor
[root@zsf7-200 harbor]# yum -y install docker-compose //因為harbor 是通過docker compose單機編排的,所以我們需要安裝docker-compose
[root@zsf7-200 harbor]# cp harbor.yml.tmpl harbor.yml
[root@zsf7-200 harbor]# egrep -v "#|^$" harbor.yml
hostname: harbor.zsf.com //harbor訪問的域名
http:
port: 180
harbor_admin_password: Ysyhl9t! //登入harbor倉庫的密碼
database:
password: root123
max_idle_conns: 50
max_open_conns: 100
data_volume: /data/harbor //資料儲存目錄
clair:
updaters_interval: 12
trivy:
ignore_unfixed: false
skip_update: false
insecure: false
jobservice:
max_job_workers: 10
notification:
webhook_job_max_retry: 10
chart:
absolute_url: disabled
log:
level: info
local:
rotate_count: 50
rotate_size: 200M
location: /var/log/harbor
_version: 2.0.0
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- clair
- trivy
[root@zsf7-200 harbor]# ./install.sh
[Step 0]: checking if docker is installed ...
Note: docker version: 19.03.12
[Step 1]: checking docker-compose is installed ...
Note: docker-compose version: 1.18.0
[Step 2]: loading Harbor images ...
然後在DNS伺服器上新增一個A 記錄
[root@zsf7-11 ~]# vim /var/named/zsf.com.zone
$ORIGIN zsf.com.
$TTL 600 ; 10 minutes
@ IN SOA dns.zsf.com. dnsadmin.zsf.com. (
2020073003 ; serial
10800 ; refresh (3 hours)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.zsf.com.
$TTL 60 ; 1 minute
dns A 10.4.7.11
harbor A 10.4.7.200
//注意 serial 必須改變
[root@zsf7-11 ~]# systemctl restart named
[root@zsf7-11 ~]# ping harbor.zsf.com
PING harbor.zsf.com (10.4.7.200) 56(84) bytes of data.
64 bytes from 10.4.7.200 (10.4.7.200): icmp_seq=1 ttl=64 time=18.9 ms
安裝一個nginx代理harbor倉庫
[root@zsf7-200 harbor]# yum -y install nginx
[root@zsf7-200 harbor]# cat /etc/nginx/conf.d/harbor.zsf.com.conf
server {
listen 80;
server_name harbor.zsf.com;
client_max_body_size 1000m; //注意docker分層映象可能大於這個數值,根據自己情況更改
location / {
proxy_pass http://127.0.0.1:180;
}
}
[root@zsf7-200 harbor]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@zsf7-200 harbor]# systemctl start nginx && systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
建立一個public的倉庫,登入web介面
然後測試上傳映象是否正常,
[root@zsf7-21 ~]# docker pull nginx
[root@zsf7-21 ~]# docker tag nginx:latest harbor.zsf.com/public/nginx:1.17.0
[root@zsf7-21 ~]# docker login -u admin -p Ysyhl9t! harbor.zsf.com
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@zsf7-21 ~]# docker push harbor.zsf.com/public/nginx:1.17.0
可以在harbor倉庫內看到映象,到此harbor倉庫搭建完成
4) 安裝Docker
3,安裝 docker,
在這些機器上安裝Docker :zsf7-21,zsf7-22,zsf7-200
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
更改 Docker 配置檔案
certs]# mkdir -p /data/docker
certs]# mkdir -p /etc/docker/
certs]# vim /etc/docker/daemon.json
{
"graph": "/data/docker",
"storage-driver": "overlay2",
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.zsf.com"],
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
"bip": "172.7.21.1/24",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true
}
解釋
{
"graph": "/data/docker", //docker放在什麼位置
"storage-driver": "overlay2", //儲存引擎
"insecure-registries": ["registry.access.redhat.com","quay.io","harbor.zsf.com"], //新增http的harbor倉庫
"registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"], //配置阿里雲映象加速
"bip": "172.7.21.1/24", //Docker的虛擬IP地址,需要改成每臺主機的最後一位
"exec-opts": ["native.cgroupdriver=systemd"], //docker cgroup 驅動
"live-restore": true //當docker daemon down時容器能正常執行
}
啟動Docker
systemctl start docker.service && systemctl enable docker.service
準備自簽證書
1,安裝生產自簽證書需要的軟體
[root@zsf7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl //建立證書,創建出來的證書是宣告式的
[root@zsf7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json //將宣告式的證書轉換成 json 格式,變成承載式
[root@zsf7-200 ~]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo //反解析證書
[root@zsf7-200 ~]# chmod +x /usr/bin/cfssl*
2,生成自簽證書
[root@zsf7-200 ~]# mkdir /opt/certs
[root@zsf7-200 ~]# cd /opt/certs
1)建立根證書申請檔案
[root@zsf7-200 certs]# vim /opt/certs/ca-csr.json
{
"CN": "OldboyEdu",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
解釋
{
"CN": "公司機構",
"hosts": [
],
"key": {
"algo": "rsa", //加密演算法
"size": 2048 //加密長度
},
"names": [
{
"C": "CN", //國家
"ST": "beijing", //省份
"L": "beijing", //城市
"O": "od", //
"OU": "ops" //職位
}
],
"ca": {
"expiry": "175200h" //證書有效時間
}
}
- 生成證書
[root@zsf7-200 certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
2020/08/04 15:43:48 [INFO] generating a new CA key and certificate from CSR
2020/08/04 15:43:48 [INFO] generate received request
2020/08/04 15:43:48 [INFO] received CSR
2020/08/04 15:43:48 [INFO] generating key: rsa-2048
2020/08/04 15:43:48 [INFO] encoded CSR
2020/08/04 15:43:48 [INFO] signed certificate with serial number 187642729321576839847461032555167519484416835896
[root@zsf7-200 certs]# ls
ca.csr ca-csr.json ca-key.pem ca.pem
//為根證書私鑰ca-key.pem ca.pem
安裝 k8s 服務
安裝 master 元件
安裝 etcd
12,21,22
1) 簽發 ETCD 證書
[root@zsf7-200 certs]# vim /opt/certs/ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": { //服務端認證
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": { //客戶端認證
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": { //雙向認證
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
建立etcd 證書請求的檔案
[root@zsf7-200 certs]# vi etcd-peer-csr.json
{
"CN": "k8s-etcd",
//可能部署在哪臺主機上,不支援網段,如果後期IP地址不在這個裡面需要重新簽發證書,所以最好多保留幾個IP地址
"hosts": [
"10.4.7.11",
"10.4.7.12",
"10.4.7.21",
"10.4.7.22"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
簽發證書
[root@zsf7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer
//-profile=peer 雙向認證使用
2020/08/04 16:02:12 [INFO] generate received request
2020/08/04 16:02:12 [INFO] received CSR
2020/08/04 16:02:12 [INFO] generating key: rsa-2048
2020/08/04 16:02:13 [INFO] encoded CSR
2020/08/04 16:02:13 [INFO] signed certificate with serial number 699445385173737942257356343390958864239006335823
2020/08/04 16:02:13 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").
[root@zsf7-200 certs]# ls etcd*
etcd-peer.csr etcd-peer-csr.json etcd-peer-key.pem etcd-peer.pem
2) 安裝 etcd
下面的操作在三臺etcd 主機上分別進行操作,zsf7-12 zsf7-21 zsf7-22
建立etcd 服務啟動的使用者
[root@zsf7-12 ~]# useradd -s /sbin/nologin -M etcd
[root@zsf7-12 ~]# id etcd
uid=1000(etcd) gid=1000(etcd) groups=1000(etcd)
下載 ectd 我們去github上面下載對應版本的etcd,我們這邊使用的是3.1.20版本
上傳下載好的軟體包到/opt/src
[root@zsf7-12 src]# ls
etcd-v3.1.20-linux-amd64.tar.gz
[root@zsf7-12 src]# tar xvf etcd-v3.1.20-linux-amd64.tar.gz -C /opt/
[root@zsf7-12 opt]# mv etcd-v3.1.20-linux-amd64/ etcd-v3.1.20
[root@zsf7-12 opt]# ln -s etcd-v3.1.20/ etcd
[root@zsf7-12 opt]# mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server /data/etcd/etcd-server
[root@zsf7-12 opt]# cd /opt/etcd/certs
下面的操作我們只在zsf7-12 這個機器上操作,另外兩臺機器類比操作
上傳自簽證書到指定位置
在zsf7-200機器上操作
[root@zsf7-12 certs]# scp ca.pem etcd-peer-key.pem etcd-peer.pem [email protected]:/opt/etcd/certs
[root@zsf7-12 certs]# scp ca.pem etcd-peer-key.pem etcd-peer.pem [email protected]:/opt/etcd/certs
[root@zsf7-12 certs]# scp ca.pem etcd-peer-key.pem etcd-peer.pem [email protected]:/opt/etcd/certs
在zsf7-12 上編寫啟動指令碼
[root@zsf7-12 certs]# ls
ca.pem etcd-peer-key.pem etcd-peer.pem
[root@zsf7-12 ~]# vim /opt/etcd/etcd-server-startup.sh
#!/bin/sh
./etcd --name etcd-server-7-12 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://10.4.7.12:2380 \
--listen-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://10.4.7.12:2380 \
--advertise-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-7-12=https://10.4.7.12:2380,etcd-server-7-21=https://10.4.7.21:2380,etcd-server-7-22=https://10.4.7.22:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
[root@zsf7-12 ~]# chmod +x /opt/etcd/etcd-server-startup.sh
更改檔案許可權
[root@zsf7-12 ~]# chown -R etcd.etcd /opt/etcd-v3.1.20/
[root@zsf7-12 ~]# chown -R etcd.etcd /data/etcd/etcd-server
3, 安裝配置supervisor
因為etcd 不能自己後臺啟動,所以我們使用supervisor來管理它
[root@zsf7-12 ~]# yum install supervisor -y
[root@zsf7-12 ~]# systemctl start supervisord && systemctl enable supervisord
[root@zsf7-12 ~]# vim /etc/supervisord.d/etcd-server.ini
[program:etcd-server-7-12]
command=/opt/etcd/etcd-server-startup.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/etcd ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=etcd ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@zsf7-12 ~]# supervisorctl update
etcd-server-7-12: added process group
剩下的兩臺主機也安裝 etcd
zsf7-21
etcd]# cat /opt/etcd/etcd-server-startup.sh
#!/bin/sh
./etcd --name etcd-server-7-21 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://10.4.7.21:2380 \
--listen-client-urls https://10.4.7.21:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://10.4.7.21:2380 \
--advertise-client-urls https://10.4.7.21:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-7-12=https://10.4.7.12:2380,etcd-server-7-21=https://10.4.7.21:2380,etcd-server-7-22=https://10.4.7.22:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
zsf7-22
~]# cat /opt/etcd/etcd-server-startup.sh
#!/bin/bash
./etcd --name etcd-server-7-22 \
--data-dir /data/etcd/etcd-server \
--listen-peer-urls https://10.4.7.22:2380 \
--listen-client-urls https://10.4.7.22:2379,http://127.0.0.1:2379 \
--quota-backend-bytes 8000000000 \
--initial-advertise-peer-urls https://10.4.7.22:2380 \
--advertise-client-urls https://10.4.7.22:2379,http://127.0.0.1:2379 \
--initial-cluster etcd-server-7-12=https://10.4.7.12:2380,etcd-server-7-21=https://10.4.7.21:2380,etcd-server-7-22=https://10.4.7.22:2380 \
--ca-file ./certs/ca.pem \
--cert-file ./certs/etcd-peer.pem \
--key-file ./certs/etcd-peer-key.pem \
--client-cert-auth \
--trusted-ca-file ./certs/ca.pem \
--peer-ca-file ./certs/ca.pem \
--peer-cert-file ./certs/etcd-peer.pem \
--peer-key-file ./certs/etcd-peer-key.pem \
--peer-client-cert-auth \
--peer-trusted-ca-file ./certs/ca.pem \
--log-output stdout
3) 檢查etcd叢集狀態
[root@zsf7-12 etcd]# ./etcdctl cluster-health
member 988139385f78284 is healthy: got healthy result from http://127.0.0.1:2379
member 5a0ef2a004fc4349 is healthy: got healthy result from http://127.0.0.1:2379
member f4a0cb0a765574a8 is healthy: got healthy result from http://127.0.0.1:2379
cluster is healthy
[root@zsf7-12 etcd]# ./etcdctl member list
988139385f78284: name=etcd-server-7-22 peerURLs=https://10.4.7.22:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.22:2379 isLeader=false
5a0ef2a004fc4349: name=etcd-server-7-21 peerURLs=https://10.4.7.21:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.21:2379 isLeader=false
f4a0cb0a765574a8: name=etcd-server-7-12 peerURLs=https://10.4.7.12:2380 clientURLs=http://127.0.0.1:2379,https://10.4.7.12:2379 isLeader=true
安裝 APiserver
1) 在 github 上下載安裝包
我們這邊安裝 1.15.4,然後我們在 github 上找到對應的 tag: https://github.com/kubernetes/kubernetes/releases/tag/v1.15.4
如果上面連結失效,可以點選下方這個連線來進行下載:https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.15.md#downloads-for-v1154
2) 建立證書
簽發 clinet 證書,Apiserver(client) 和 etcd(service) 進行通訊需要的證書,
[root@zsf7-200 certs]# vim client-csr.json
{
"CN": "k8s-client",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "jiangsu",
"L": "nanjing",
"O": "od",
"OU": "ops"
}
]
}
[root@zsf7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client
[root@zsf7-200 certs]# ll client*
-rw-r--r-- 1 root root 997 Aug 5 15:31 client.csr
-rw-r--r-- 1 root root 283 Aug 5 15:30 client-csr.json
-rw------- 1 root root 1675 Aug 5 15:31 client-key.pem
-rw-r--r-- 1 root root 1363 Aug 5 15:31 client.pem
簽發 Apiserver 證書,這個是 Apiserver 作為服務端需要的證書,別人請求 Apiserver 需要證書認證
# vi apiserver-csr.json
{
"CN": "k8s-apiserver",
"hosts": [
"127.0.0.1",
"192.168.0.1",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
//Apiserver 可能存在哪些機器上,需要注意 VIP 也需要寫到裡面
"10.4.7.10",
"10.4.7.21",
"10.4.7.22",
"10.4.7.23"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "jiangsu",
"L": "nanjing",
"O": "od",
"OU": "ops"
}
]
}
[root@zsf7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver
[root@zsf7-200 certs]# ll apiserver*
-rw-r--r-- 1 root root 1249 Aug 5 15:33 apiserver.csr
-rw-r--r-- 1 root root 566 Aug 5 15:32 apiserver-csr.json
-rw------- 1 root root 1679 Aug 5 15:33 apiserver-key.pem
-rw-r--r-- 1 root root 1594 Aug 5 15:33 apiserver.pem
3) 安裝 apiserver
[root@zsf7-21 /]# cd /opt/src
[root@zsf7-21 src]# ll
total 443192
-rw-r--r-- 1 root root 9850227 Aug 4 15:24 etcd-v3.1.20-linux-amd64.tar.gz
-rw-r--r-- 1 root root 443976803 Aug 5 14:11 kubernetes-server-linux-amd64.tar.gz
[root@zsf7-21 src]# tar xf kubernetes-server-linux-amd64.tar.gz -C /opt/
[root@zsf7-21 src]# cd /opt/
[root@zsf7-21 opt]# mv kubernetes/ kubernetes-1.15.4
[root@zsf7-21 opt]# ln -s kubernetes-1.15.4/ kubernetes
[root@zsf7-21 opt]# cd /opt/kubernetes/server/bin
[root@zsf7-21 bin]# rm -rf *.tar *_tag //.tar 為軟體的docker包,我們不需要就刪除掉
[root@zsf7-21 bin]# mkdir -p mkdir /opt/kubernetes/bin/certs //存放證書的目錄
在 zsf7-200上面拷貝證書到 apiserver 上
[root@zsf7-200 certs]# scp ca.pem ca-key.pem client-key.pem client.pem apiserver.pem apiserver-key.pem [email protected]:/opt/kubernetes/server/bin/certs/
[root@zsf7-21 bin]# ll /opt/kubernetes/server/bin/certs/
total 24
-rw------- 1 root root 1679 Aug 5 15:41 apiserver-key.pem
-rw-r--r-- 1 root root 1594 Aug 5 15:41 apiserver.pem
-rw------- 1 root root 1675 Aug 5 15:41 ca-key.pem
-rw-r--r-- 1 root root 1338 Aug 5 15:41 ca.pem
-rw------- 1 root root 1675 Aug 5 15:41 client-key.pem
-rw-r--r-- 1 root root 1363 Aug 5 15:41 client.pem
建立Apiserver 啟動的配置檔案
[root@zsf7-21 bin]# mkdir -p /opt/kubernetes/server/bin/conf
[root@zsf7-21 bin]# cd /opt/kubernetes/server/bin/conf
[root@zsf7-21 conf]# vi audit.yaml
//日誌審計
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
建立啟動指令碼
[root@zsf7-21 bin]# vi /opt/kubernetes/server/bin/kube-apiserver.sh
#!/bin/bash
./kube-apiserver \
--apiserver-count 2 \
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
--audit-policy-file ./conf/audit.yaml \
--authorization-mode RBAC \
--client-ca-file ./certs/ca.pem \
--requestheader-client-ca-file ./certs/ca.pem \
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--etcd-cafile ./certs/ca.pem \
--etcd-certfile ./certs/client.pem \
--etcd-keyfile ./certs/client-key.pem \
--etcd-servers https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \
--service-account-key-file ./certs/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--service-node-port-range 3000-29999 \
--target-ram-mb=1024 \
--kubelet-client-certificate ./certs/client.pem \
--kubelet-client-key ./certs/client-key.pem \
--log-dir /data/logs/kubernetes/kube-apiserver \
--tls-cert-file ./certs/apiserver.pem \
--tls-private-key-file ./certs/apiserver-key.pem \
--v 2
[root@zsf7-21 bin]# chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh
[root@zsf7-21 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver/audit-log
解釋:
- apiserver-count: apiserver的數量,根據自己實際情況來更改
- audit-log-path:日誌審計的日誌目錄存放地方
- audit-policy-file: 日誌審計規則的配置檔案
- authorization-mode: 認證的模式,目前使用基於角色的訪問控制
- client-ca-file: 根證書存放的位置
- requestheader-client-ca-file:驗證傳入請求中的客戶證書
- enable-admission-plugins:除了預設外掛外啟用的外掛,順序沒關係
- etcd-cafile: etcd的根證書
- etcd-certfile: 請求etcd驗證的證書
- etcd-keyfile: 請求etcd驗證的私鑰
- etcd-servers: etcd 服務的地址
- service-account-key-file: 服務的證書私鑰
- service-cluster-ip-range: 用於分配服務叢集IP。此範圍不得與為 pods 分配給節點的任何 IP 範圍重疊。(預設為10.0.0.0/24) clusterIP
- service-node-port-range: nodeport的埠範圍,預設是30000-32767
- target-ram-mb:apiserver的記憶體限制,單位為MB(用於配置快取大小等)
4) 建立supervisor 啟動指令碼
[root@zsf7-21 bin]# vi /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-7-21]
command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@zsf7-21 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver/
[root@zsf7-21 bin]# supervisorctl update
kube-apiserver-7-21: added process group
zsf7-22類比上面進行這邊不分開寫
[root@zsf7-22 src]# tar xvf kubernetes-server-linux-amd64.tar.gz -C /opt/
[root@zsf7-22 src]# cd /opt/
[root@zsf7-22 opt]# mv kubernetes/ kubernetes-1.15.4
[root@zsf7-22 opt]# ln -s kubernetes-1.15.4/ kubernetes
[root@zsf7-22 opt]# cd /opt/kubernetes/server/bin
[root@zsf7-22 bin]# rm -f *.tar *_tar
[root@zsf7-22 bin]# mkdir /opt/kubernetes/server/bin/certs/
[root@zsf7-200 certs]# scp ca.pem ca-key.pem client-key.pem client.pem apiserver.pem apiserver-key.pem [email protected]:/opt/kubernetes/server/bin/certs/
[root@zsf7-22 bin]# ll certs/
total 24
-rw------- 1 root root 1679 Aug 5 16:31 apiserver-key.pem
-rw-r--r-- 1 root root 1594 Aug 5 16:31 apiserver.pem
-rw------- 1 root root 1675 Aug 5 16:31 ca-key.pem
-rw-r--r-- 1 root root 1338 Aug 5 16:31 ca.pem
-rw------- 1 root root 1675 Aug 5 16:31 client-key.pem
-rw-r--r-- 1 root root 1363 Aug 5 16:31 client.pem
[root@zsf7-22 bin]# mkdir conf
[root@zsf7-22 bin]# vi conf/audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
- "RequestReceived"
rules:
# Log pod changes at RequestResponse level
- level: RequestResponse
resources:
- group: ""
# Resource "pods" doesn't match requests to any subresource of pods,
# which is consistent with the RBAC policy.
resources: ["pods"]
# Log "pods/log", "pods/status" at Metadata level
- level: Metadata
resources:
- group: ""
resources: ["pods/log", "pods/status"]
# Don't log requests to a configmap called "controller-leader"
- level: None
resources:
- group: ""
resources: ["configmaps"]
resourceNames: ["controller-leader"]
# Don't log watch requests by the "system:kube-proxy" on endpoints or services
- level: None
users: ["system:kube-proxy"]
verbs: ["watch"]
resources:
- group: "" # core API group
resources: ["endpoints", "services"]
# Don't log authenticated requests to certain non-resource URL paths.
- level: None
userGroups: ["system:authenticated"]
nonResourceURLs:
- "/api*" # Wildcard matching.
- "/version"
# Log the request body of configmap changes in kube-system.
- level: Request
resources:
- group: "" # core API group
resources: ["configmaps"]
# This rule only applies to resources in the "kube-system" namespace.
# The empty string "" can be used to select non-namespaced resources.
namespaces: ["kube-system"]
# Log configmap and secret changes in all other namespaces at the Metadata level.
- level: Metadata
resources:
- group: "" # core API group
resources: ["secrets", "configmaps"]
# Log all other resources in core and extensions at the Request level.
- level: Request
resources:
- group: "" # core API group
- group: "extensions" # Version of group should NOT be included.
# A catch-all rule to log all other requests at the Metadata level.
- level: Metadata
# Long-running requests like watches that fall under this rule will not
# generate an audit event in RequestReceived.
omitStages:
- "RequestReceived"
[root@zsf7-22 bin]# vim /opt/kubernetes/server/bin/kube-apiserver.sh
#!/bin/bash
./kube-apiserver \
--apiserver-count 2 \
--audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
--audit-policy-file ./conf/audit.yaml \
--authorization-mode RBAC \
--client-ca-file ./certs/ca.pem \
--requestheader-client-ca-file ./certs/ca.pem \
--enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
--etcd-cafile ./certs/ca.pem \
--etcd-certfile ./certs/client.pem \
--etcd-keyfile ./certs/client-key.pem \
--etcd-servers https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \
--service-account-key-file ./certs/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--service-node-port-range 3000-29999 \
--target-ram-mb=1024 \
--kubelet-client-certificate ./certs/client.pem \
--kubelet-client-key ./certs/client-key.pem \
--log-dir /data/logs/kubernetes/kube-apiserver \
--tls-cert-file ./certs/apiserver.pem \
--tls-private-key-file ./certs/apiserver-key.pem \
--v 2
[root@zsf7-21 bin]# chmod +x /opt/kubernetes/server/bin/kube-apiserver.sh
[root@zsf7-21 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver/audit-log
[root@zsf7-22 bin]# vi /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-7-22]
command=/opt/kubernetes/server/bin/kube-apiserver.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@zsf7-22 bin]# mkdir -p /data/logs/kubernetes/kube-apiserver/
[root@zsf7-22 bin]# supervisorctl update
kube-apiserver-7-22: added process group
部署 Apiserver 高可用
1) 安裝nginx
[root@zsf7-11 ~]# yum -y install nginx
[root@zsf7-11 ~]# vim /etc/nginx/nginx.conf
//注意需要在http外測編寫下面內容
stream {
upstream kube-apiserver {
server 10.4.7.21:6443 max_fails=3 fail_timeout=30s;
server 10.4.7.22:6443 max_fails=3 fail_timeout=30s;
}
server {
listen 7443;
proxy_connect_timeout 2s;
proxy_timeout 900s;
proxy_pass kube-apiserver;
}
}
[root@zsf7-11 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@zsf7-11 ~]# systemctl start nginx && systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
[root@zsf7-12 ~]# yum -y install nginx
[root@zsf7-12 ~]# vim /etc/nginx/nginx.conf
//注意需要在http外測編寫下面內容
stream {
upstream kube-apiserver {
server 10.4.7.21:6443 max_fails=3 fail_timeout=30s;
server 10.4.7.22:6443 max_fails=3 fail_timeout=30s;
}
server {
listen 7443;
proxy_connect_timeout 2s;
proxy_timeout 900s;
proxy_pass kube-apiserver;
}
}
[root@zsf7-12 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@zsf7-12 ~]# systemctl start nginx && systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
2) 安裝keepalived
[root@zsf7-11 ~]# yum -y install keepalived -y
[root@zsf7-11 ~]# vim /etc/keepalived/check_port.sh
#!/bin/bash
#keepalived 監控埠指令碼
#使用方法:
#在keepalived的配置檔案中
#vrrp_script check_port {#建立一個vrrp_script指令碼,檢查配置
# script "/etc/keepalived/check_port.sh 6379" #配置監聽的埠
# interval 2 #檢查指令碼的頻率,單位(秒)
#}
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
if [ $PORT_PROCESS -eq 0 ];then
echo "Port $CHK_PORT Is Not Used,End."
exit 1
fi
else
echo "Check Port Cant Be Empty!"
fi
[root@zsf7-11 ~]# chmod +x /etc/keepalived/check_port.sh
keepalived 主:
[root@zsf7-11 ~]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 10.4.7.11
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER
interface ens33 //要給自己的實際網絡卡相符合
virtual_router_id 251
priority 100
advert_int 1
mcast_src_ip 10.4.7.11
nopreempt
authentication {
auth_type PASS
auth_pass apiserver-pass
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.4.7.10
}
}
[root@zsf7-11 ~]# useradd keepalived_script -s /sbin/nologin
[root@zsf7-11 ~]# systemctl start keepalived.service && systemctl enable keepalived.service
- nopreempt : 當主掛了之後VIP漂移到從節點,然後主啟動正常之後不自動漂移回來
[root@zsf7-12 ~]# yum -y install keepalived -y
[root@zsf7-12 ~]# vim /etc/keepalived/check_port.sh
#!/bin/bash
#keepalived 監控埠指令碼
#使用方法:
#在keepalived的配置檔案中
#vrrp_script check_port {#建立一個vrrp_script指令碼,檢查配置
# script "/etc/keepalived/check_port.sh 6379" #配置監聽的埠
# interval 2 #檢查指令碼的頻率,單位(秒)
#}
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
if [ $PORT_PROCESS -eq 0 ];then
echo "Port $CHK_PORT Is Not Used,End."
exit 1
fi
else
echo "Check Port Cant Be Empty!"
fi
[root@zsf7-12 ~]# chmod +x /etc/keepalived/check_port.sh
keepalived從:
[root@zsf7-12 ~]# vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id 10.4.7.12
}
vrrp_script chk_nginx {
script "/etc/keepalived/check_port.sh 7443"
interval 2
weight -20
}
vrrp_instance VI_1 {
state BACKUP
interface ens33
virtual_router_id 251
mcast_src_ip 10.4.7.12
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass apiserver-pass
}
track_script {
chk_nginx
}
virtual_ipaddress {
10.4.7.10
}
}
[root@zsf7-12 ~]# useradd keepalived_script -s /sbin/nologin
[root@zsf7-12 ~]# systemctl start keepalived.service && systemctl enable keepalived.service
3)驗證是否正常
[root@zsf7-11 keepalived]# ip addr | grep 10.4.7.10
inet 10.4.7.10/32 scope global ens33
[root@zsf7-12 ~]# ip addr | grep 10.4.7.10
[root@zsf7-12 ~]#
[root@zsf7-11 keepalived]# systemctl stop nginx
[root@zsf7-11 keepalived]# ip addr | grep 10.4.7.10
[root@zsf7-12 ~]# ip addr | grep 10.4.7.10
inet 10.4.7.10/32 scope global ens33
叢集正常
部署controller-manager
1) 建立controller-manager啟動指令碼
[root@zsf7-21 bin]# vim /opt/kubernetes/server/bin/kube-controller-manager.sh
#!/bin/sh
./kube-controller-manager \
--cluster-cidr 172.7.0.0/16 \
--leader-elect true \
--log-dir /data/logs/kubernetes/kube-controller-manager \
--master http://127.0.0.1:8080 \
--service-account-private-key-file ./certs/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--root-ca-file ./certs/ca.pem \
--v 2
[root@zsf7-21 bin]# chmod +x /opt/kubernetes/server/bin/kube-controller-manager.sh
[root@zsf7-21 bin]# mkdir -p /data/logs/kubernetes/kube-controller-manager
[root@zsf7-22 bin]# vim /opt/kubernetes/server/bin/kube-controller-manager.sh
#!/bin/sh
./kube-controller-manager \
--cluster-cidr 172.7.0.0/16 \
--leader-elect true \
--log-dir /data/logs/kubernetes/kube-controller-manager \
--master http://127.0.0.1:8080 \
--service-account-private-key-file ./certs/ca-key.pem \
--service-cluster-ip-range 192.168.0.0/16 \
--root-ca-file ./certs/ca.pem \
--v 2
[root@zsf7-22 bin]# chmod +x /opt/kubernetes/server/bin/kube-controller-manager.sh
[root@zsf7-22 bin]# mkdir -p /data/logs/kubernetes/kube-controller-manager
-
cluster-cidr: 叢集中Pods的CIDR範圍
-
leader-elect: 在執行主迴圈之前,啟動領導選舉客戶端並獲得領導權。當運行復制元件以實現高可用性時,請啟用此功能。(預設為true)
-
master: apiserver的地址,這裡我們使用的是本地迴環埠,所以不需要證書
-
service-account-private-key-file
[root@zsf7-21 bin]# vim /etc/supervisord.d/kube-conntroller-manager.ini
[program:kube-controller-manager-7-21]
command=/opt/kubernetes/server/bin/kube-controller-manager.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-controller-manager/controller.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@zsf7-21 bin]# mkdir -p /data/logs/kubernetes/kube-controller-manager/
[root@zsf7-21 bin]# supervisorctl update
kube-controller-manager-7-21: added process group
[root@zsf7-22 bin]# vim /etc/supervisord.d/kube-conntroller-manager.ini
[program:kube-controller-manager-7-22]
command=/opt/kubernetes/server/bin/kube-controller-manager.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-controller-manager/controller.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@zsf7-22 bin]# mkdir -p /data/logs/kubernetes/kube-controller-manager/
[root@zsf7-22 bin]# supervisorctl update
kube-controller-manager-7-22: added process group
kube-scheduler
1) 建立啟動kube-scheduler配置檔案
[root@zsf7-21 bin]# vim /opt/kubernetes/server/bin/kube-scheduler.sh
#!/bin/sh
./kube-scheduler \
--leader-elect \
--log-dir /data/logs/kubernetes/kube-scheduler \
--master http://127.0.0.1:8080 \
--v 2
[root@zsf7-21 bin]# chmod +x /opt/kubernetes/server/bin/kube-scheduler.sh
[root@zsf7-21 bin]# mkdir -p /data/logs/kubernetes/kube-scheduler
[root@zsf7-22 bin]# vim /opt/kubernetes/server/bin/kube-scheduler.sh
#!/bin/sh
./kube-scheduler \
--leader-elect \
--log-dir /data/logs/kubernetes/kube-scheduler \
--master http://127.0.0.1:8080 \
--v 2
[root@zsf7-22 bin]# chmod +x /opt/kubernetes/server/bin/kube-scheduler.sh
[root@zsf7-22 bin]# mkdir -p /data/logs/kubernetes/kube-scheduler
2) 建立啟動指令碼
[root@zsf7-21 bin]# vim /etc/supervisord.d/kube-scheduler.ini
[program:kube-scheduler-7-21]
command=/opt/kubernetes/server/bin/kube-scheduler.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-scheduler/scheduler.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@zsf7-21 bin]# mkdir -p /data/logs/kubernetes/kube-scheduler/
[root@zsf7-21 bin]# supervisorctl update
kube-scheduler-7-21: added process group
[root@zsf7-22 bin]# vim /etc/supervisord.d/kube-scheduler.ini
[program:kube-scheduler-7-22]
command=/opt/kubernetes/server/bin/kube-scheduler.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-scheduler/scheduler.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@zsf7-22 bin]# mkdir -p /data/logs/kubernetes/kube-scheduler/
[root@zsf7-22 bin]# supervisorctl update
kube-scheduler-7-22: added process group
檢查主控節點是否正常
[root@zsf7-21 bin]# ln -s /opt/kubernetes/server/bin/kubectl /usr/bin/kubectl
[root@zsf7-21 bin]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-2 Healthy {"health": "true"}
etcd-1 Healthy {"health": "true"}
etcd-0 Healthy {"health": "true"}
安裝工作節點
安裝 kubelet
1)簽發證書
如果後期需要新增新的節點的話,那麼要重新簽發證書,可以先不動老的,先部署新的,但是建議全部更新
Kubelet 對外提供 https 服務,所以要簽發一套 server 證書,apiserver 會主動請求他
[root@zsf7-200 certs]# vi kubelet-csr.json
{
"CN": "k8s-kubelet",
"hosts": [
"127.0.0.1",
"10.4.7.10",
"10.4.7.21",
"10.4.7.22",
"10.4.7.23",
"10.4.7.24",
"10.4.7.25",
"10.4.7.26",
"10.4.7.27",
"10.4.7.28"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
[root@zsf7-200 certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server kubelet-csr.json | cfssl-json -bare kubelet
[root@zsf7-200 certs]# ll kubelet*
-rw-r--r-- 1 root root 1115 Aug 5 18:12 kubelet.csr
-rw-r--r-- 1 root root 453 Aug 5 18:12 kubelet-csr.json
-rw------- 1 root root 1679 Aug 5 18:12 kubelet-key.pem
-rw-r--r-- 1 root root 1464 Aug 5 18:12 kubelet.pem
[root@zsf7-200 certs]# scp ca.pem ca-key.pem kubelet.pem kubelet-key.pem client.pem client-key.pem [email protected]:/opt/kubernetes/server/bin/certs
[root@zsf7-200 certs]# scp ca.pem ca-key.pem kubelet.pem kubelet-key.pem client.pem client-key.pem [email protected]:/opt/kubernetes/server/bin/certs
2) 建立kubelet 的配置檔案
Set-cluster
注意在 conf 目錄下
[root@zsf7-21 conf]# kubectl config set-cluster myk8s \
--certificate-authority=/opt/kubernetes/server/bin/certs/ca.pem \
--embed-certs=true \
--server=https://10.4.7.10:7443 \
--kubeconfig=kubelet.kubeconfig
set-credentials
[root@zsf7-21 conf]# kubectl config set-credentials k8s-node \
--client-certificate=/opt/kubernetes/server/bin/certs/client.pem \
--client-key=/opt/kubernetes/server/bin/certs/client-key.pem \
--embed-certs=true \
--kubeconfig=kubelet.kubeconfig
set-context
[root@zsf7-21 conf]# kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=k8s-node \
--kubeconfig=kubelet.kubeconfig
use-context
[root@zsf7-21 conf]# kubectl config use-context myk8s-context --kubeconfig=kubelet.kubeconfig
3) 角色繫結
[root@zsf7-21 conf}# k8s-node.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-node
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:node
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: k8s-node
[root@zsf7-21 conf]# kubectl create -f k8s-node.yaml
[root@zsf7-21 conf]# kubectl get clusterrolebinding k8s-node -o yaml
4) 準備pause 映象
因為pod 一個pod是有業務容器和pause容器構成的,
[root@zsf7-21 ~]# docker pull kubernetes/pause
[root@zsf7-21 ~]# docker tag docker.io/kubernetes/pause:latest harbor.zsf.com/public/pause:latest
[root@zsf7-21 ~]# docker push harbor.zsf.com/public/pause:latest
5) 建立 kubelet 啟動檔案
[root@zsf7-21 ~]# vim /opt/kubernetes/server/bin/kubelet.sh
#!/bin/sh
./kubelet \
--anonymous-auth=false \
--cgroup-driver systemd \
--cluster-dns 192.168.0.2 \
--cluster-domain cluster.local \
--runtime-cgroups=/systemd/system.slice \
--kubelet-cgroups=/systemd/system.slice \
--fail-swap-on="false" \
--client-ca-file ./certs/ca.pem \
--tls-cert-file ./certs/kubelet.pem \
--tls-private-key-file ./certs/kubelet-key.pem \
--hostname-override zsf7-21.host.com \
--image-gc-high-threshold 20 \
--image-gc-low-threshold 10 \
--kubeconfig ./conf/kubelet.kubeconfig \
--log-dir /data/logs/kubernetes/kube-kubelet \
--pod-infra-container-image harbor.zsf.com/public/pause:latest \
--root-dir /data/kubelet
[root@zsf7-21 ~]# mkdir -p /data/kubelet
[root@zsf7-21 ~]# mkdir -p /data/logs/kubernetes/kube-kubelet
[root@zsf7-21 ~]# chmod +x /opt/kubernetes/server/bin/kubelet.sh
6) 建立管理指令碼
[root@zsf7-21 bin]# vim /etc/supervisord.d/kube-kubelet.ini
[program:kube-kubelet-7-21]
command=/opt/kubernetes/server/bin/kubelet.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-kubelet/kubelet.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
# supervisorctl update
另外一臺節點部署
[root@zsf7-22 conf]# scp zsf7-21:/opt/kubernetes/server/bin/conf/kubelet.kubeconfig /opt/kubernetes/server/bin/conf/
[root@zsf7-22 ~]# vim /opt/kubernetes/server/bin/kubelet.sh
#!/bin/sh
./kubelet \
--anonymous-auth=false \
--cgroup-driver systemd \
--cluster-dns 192.168.0.2 \
--cluster-domain cluster.local \
--runtime-cgroups=/systemd/system.slice \
--kubelet-cgroups=/systemd/system.slice \
--fail-swap-on="false" \
--client-ca-file ./certs/ca.pem \
--tls-cert-file ./certs/kubelet.pem \
--tls-private-key-file ./certs/kubelet-key.pem \
--hostname-override zsf7-22.host.com \
--image-gc-high-threshold 20 \
--image-gc-low-threshold 10 \
--kubeconfig ./conf/kubelet.kubeconfig \
--log-dir /data/logs/kubernetes/kube-kubelet \
--pod-infra-container-image harbor.zsf.com/public/pause:latest \
--root-dir /data/kubelet
[root@zsf7-22 ~]# mkdir -p /data/kubelet
[root@zsf7-22 ~]# mkdir -p /data/logs/kubernetes/kube-kubelet
[root@zsf7-22 ~]# chmod +x /opt/kubernetes/server/bin/kubelet.sh
[root@zsf7-22 bin]# vim /etc/supervisord.d/kube-kubelet.ini
[program:kube-kubelet-7-22]
command=/opt/kubernetes/server/bin/kubelet.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-kubelet/kubelet.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@zsf7-22 conf]# supervisorctl update
kube-kubelet-7-22: added process group
- 檢視node 是否正常,打標籤
//當我執行kubectl get nodes 的時候並未得到我想要的結果,然後去看kubelet日誌發現如下報錯
E0806 07:12:22.356765 14672 reflector.go:125] k8s.io/client-go/informers/factory.go:133: Failed to list *v1beta1.RuntimeClass: runtimeclasses.node.k8s.io is forbidden: User "k8s-client" cannot list resource "runtimeclasses"
說是k8s-client這個客戶端沒有許可權檢視節點列表,我們需要使用下面命令進行授權
[root@zsf7-21 conf]# kubectl create clusterrolebinding kubelet-node-clusterbinding --clusterrole=system:node --user=k8s-client
[root@zsf7-21 bin]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
zsf7-21.host.com Ready <none> 3m6s v1.15.4
zsf7-22.host.com Ready <none> 7s v1.15.4
//打標籤
[root@zsf7-21 bin]# kubectl label node zsf7-21.host.com node-role.kubernetes.io/master=
[root@zsf7-21 bin]# kubectl label node zsf7-21.host.com node-role.kubernetes.io/node=
[root@zsf7-21 bin]# kubectl label node zsf7-22.host.com node-role.kubernetes.io/master=
[root@zsf7-21 bin]# kubectl label node zsf7-22.host.com node-role.kubernetes.io/node=
[root@zsf7-21 bin]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
zsf7-21.host.com Ready master,node 4m15s v1.15.4
zsf7-22.host.com Ready master,node 76s v1.15.4
安裝 kube-proxy
1) 建立 kube-proxy 配置檔案
conf]# kubectl config set-cluster myk8s \
--certificate-authority=/opt/kubernetes/server/bin/certs/ca.pem \
--embed-certs=true \
--server=https://10.4.7.10:7443 \
--kubeconfig=kube-proxy.kubeconfig
conf]# kubectl config set-credentials kube-proxy \
--client-certificate=/opt/kubernetes/server/bin/certs/client.pem \
--client-key=/opt/kubernetes/server/bin/certs/client-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
conf]# kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
conf]# kubectl config use-context myk8s-context --kubeconfig=kube-proxy.kubeconfig
2) 建立角色繫結
conf}# k8s-kube-proxy.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kube-proxy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-proxy
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kube-proxy
3) 載入 IPVs
[root@zsf7-21 conf]# vim /root/ipvs.sh
#!/bin/bash
ipvs_mods_dir="/usr/lib/modules/$(uname -r)/kernel/net/netfilter/ipvs"
for i in $(ls $ipvs_mods_dir|grep -o "^[^.]*")
do
/sbin/modinfo -F filename $i &>/dev/null
if [ $? -eq 0 ];then
/sbin/modprobe $i
fi
done
4) 建立啟動指令碼
[root@zsf7-21 conf]# vim /opt/kubernetes/server/bin/kube-proxy.sh
#!/bin/sh
./kube-proxy \
--cluster-cidr 172.7.0.0/16 \
--hostname-override zsf7-21.host.com \
--proxy-mode=ipvs \
--ipvs-scheduler=nq \
--log-dir /data/logs/kubernetes/kube-proxy \
--kubeconfig ./conf/kube-proxy.kubeconfig
# chmod +x kube-proxy.sh
# mkdir -p /data/logs/kubernetes/kube-proxy
/etc/supervisord.d/kube-proxy.ini
[program:kube-proxy-7-21]
command=/opt/kubernetes/server/bin/kube-proxy.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-proxy/proxy.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
# supervisorctl update
啟動報錯如下:
User "k8s-client" cannot list resource "endpoints" in API group "" at the cluster scope
[root@zsf7-21 bin]# kubectl get clusterrole | grep endpo
system:controller:endpoint-controller 17h
[root@zsf7-21 bin]# kubectl create clusterrolebinding kube-proxy-endpoints-clusterbinding --clusterrole=system:controller:endpoint-controller --user=k8s-client
5) 檢視IPvs 是否有記錄:
[root@zsf7-21 conf]# yum -y install ipvsadm-1.27-8.el7.x86_64
[root@zsf7-21 bin]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.0.1:443 nq
-> 10.4.7.21:6443 Masq 1 0 0
-> 10.4.7.22:6443 Masq 1 0 0
另外一臺機器部署
[root@zsf7-22 conf]# scp zsf7-21:/opt/kubernetes/server/bin/conf/kube-proxy.kubeconfig ./
[root@zsf7-22 conf]# vim /opt/kubernetes/server/bin/kube-proxy.sh
#!/bin/sh
./kube-proxy \
--cluster-cidr 172.7.0.0/16 \
--hostname-override zsf7-22.host.com \
--proxy-mode=ipvs \
--ipvs-scheduler=nq \
--log-dir /data/logs/kubernetes/kube-proxy \
--kubeconfig ./conf/kube-proxy.kubeconfig
# chmod +x kube-proxy.sh
# mkdir -p /data/logs/kubernetes/kube-proxy
[root@zsf7-22 bin]# /etc/supervisord.d/kube-proxy.ini
[program:kube-proxy-7-22]
command=/opt/kubernetes/server/bin/kube-proxy.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-proxy/proxy.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
[root@zsf7-22 conf]# vim /root/ipvs.sh
#!/bin/bash
ipvs_mods_dir="/usr/lib/modules/$(uname -r)/kernel/net/netfilter/ipvs"
for i in $(ls $ipvs_mods_dir|grep -o "^[^.]*")
do
/sbin/modinfo -F filename $i &>/dev/null
if [ $? -eq 0 ];then
/sbin/modprobe $i
fi
done
[root@zsf7-22 kube-proxy]# chmod +x /root/ipvs.sh
[root@zsf7-22 kube-proxy]# . /root/ipvs.sh
[root@zsf7-22 bin]# supervisorctl update
6) 擴充套件,我們可以使用下面的方式來部署kube-proxy
# vi kube-proxy-csr.json
{
//這個可以自己改,這邊寫的是角色繫結,
"CN": "system:kube-proxy",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "beijing",
"L": "beijing",
"O": "od",
"OU": "ops"
}
]
}
# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client kube-proxy-csr.json |cfssl-json -bare kube-proxy-client
conf]# kubectl config set-cluster myk8s \
--certificate-authority=/opt/kubernetes/server/bin/certs/ca.pem \
--embed-certs=true \
--server=https://10.4.7.10:7443 \
--kubeconfig=kube-proxy.kubeconfig
conf]# kubectl config set-credentials kube-proxy \
--client-certificate=/opt/kubernetes/server/bin/certs/kube-proxy-client.pem \
--client-key=/opt/kubernetes/server/bin/certs/kube-proxy-client-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
conf]# kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
conf]# kubectl config use-context myk8s-context --kubeconfig=kube-proxy.kubeconfig
建立啟動指令碼。。。。
建立命令補全工具
[root@zsf7-21 bin]# yum -y install bash-co*
[root@zsf7-21 bin]# source <(kubectl completion bash)
[root@zsf7-21 bin]# echo "source <(kubectl completion bash)" >> ~/.bashrc
驗證叢集狀態
檢視叢集節點狀態:
[root@zsf7-21 bin]# kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-0 Healthy {"health": "true"}
etcd-1 Healthy {"health": "true"}
etcd-2 Healthy {"health": "true"}
[root@zsf7-21 bin]# kubectl get node
NAME STATUS ROLES AGE VERSION
zsf7-21.host.com Ready master,node 157m v1.15.4
zsf7-22.host.com Ready master,node 154m v1.15.4
建立一個daemonset 的pod驗證叢集狀態
[root@zsf7-21 test]# cat nginx-test.yml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: test-nginx
spec:
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: my-test-nginx
image: harbor.zsf.com/public/nginx:1.17.0
ports:
- containerPort: 80
[root@zsf7-21 test]# kubectl create -f nginx-test.yml
[root@zsf7-21 test]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
test-nginx-7p5pc 1/1 Running 0 12m 172.7.22.2 zsf7-22.host.com <none> <none>
test-nginx-w4jvp 1/1 Running 0 12m 172.7.21.2 zsf7-21.host.com <none> <none>
curl -i http://172.7.21.2/
HTTP/1.1 200 OK
Server: nginx/1.19.1
Date: Thu, 06 Aug 2020 02:35:04 GMT
Content-Type: text/html
Content-Length: 612
安裝 k8s 核心外掛
安裝k8s 網路外掛 flannel
我們在github上面安裝,我們這邊下載安裝1.10.0,
1) 下載上傳解壓軟體包
[root@zsf7-21 ~]# cd /opt/src/
[root@zsf7-21 src]# wget https://github.com/coreos/flannel/releases/download/v0.11.0/flannel-v0.11.0-linux-amd64.tar.gz
[root@zsf7-21 src]# mkdir /opt/flannel-v0.11.0
[root@zsf7-21 src]# tar xf flannel-v0.11.0-linux-amd64.tar.gz -C /opt/flannel-v0.11.0/
[root@zsf7-21 src]# ln -s /opt/flannel-v0.11.0/ /opt/flannel
[root@zsf7-21 flannel]# tree ./
./
├── flanneld
├── mk-docker-opts.sh
└── README.md
2) 配置證書
[root@zsf7-21 flannel]# mkdir certs
[root@zsf7-200 certs]# scp ca.pem client.pem client-key.pem zsf7-11:/opt/flannel/certs
[root@zsf7-21 flannel]# tree ./
./
├── certs
│ ├── ca.pem
│ ├── client-key.pem
│ └── client.pem
├── flanneld
├── mk-docker-opts.sh
└── README.md
3) 建立env變數,預設為"/run/flannel/subnet.env"
[root@zsf7-21 flannel]# vi subnet.env
FLANNEL_NETWORK=172.7.0.0/16
FLANNEL_SUBNET=172.7.21.1/24
FLANNEL_MTU=1500
FLANNEL_IPMASQ=false
- FLANNEL_NETWORK: docker 虛擬網路網段,包含所有宿主機上的docker網路,
- FLANNEL_SUBNET : 當前主機上Docker 網路的網段
- FLANNEL_IPMASQ:
4) 建立flanneld 啟動指令碼
[root@zsf7-21 flannel]# vim flanneld.sh
#!/bin/bash
./flanneld \
--public-ip=10.4.7.21 \
--etcd-endpoints=https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \
--etcd-keyfile=./certs/client-key.pem \
--etcd-certfile=./certs/client.pem \
--etcd-cafile=./certs/ca.pem \
--iface=ens33 \
--subnet-file=./subnet.env \
--healthz-port=2401
[root@zsf7-21 flannel]# mkdir -p /data/logs/flanneld
[root@zsf7-21 flannel]# chmod +x /opt/flannel/flanneld.sh
- iface: 需要根據自己的實際網絡卡名稱來進行更改
5) 建立supervisor 啟動指令碼
~]# vi /etc/supervisord.d/flannel.ini
[program:flanneld-7-21]
command=/opt/flannel/flanneld.sh ; the program (relative uses PATH, can take args)
numprocs=1 ; number of processes copies to start (def 1)
directory=/opt/flannel ; directory to cwd to before exec (def no cwd)
autostart=true ; start at supervisord start (default: true)
autorestart=true ; retstart at unexpected quit (default: true)
startsecs=30 ; number of secs prog must stay running (def. 1)
startretries=3 ; max # of serial start failures (default 3)
exitcodes=0,2 ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT ; signal used to kill process (default TERM)
stopwaitsecs=10 ; max num secs to wait b4 SIGKILL (default 10)
user=root ; setuid to this UNIX account to run the program
redirect_stderr=true ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/flanneld/flanneld.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false ; emit events on stdout writes (default false)
6) 在etcd裡面提前建立flannel的網路外掛型別,目前設定為 host-gw
[root@zsf7-21 etcd]# ./etcdctl set /coreos.com/network/config '{"Network": "172.7.0.0/16", "Backend": {"Type": "host-gw"}}'
{"Network": "172.7.0.0/16", "Backend": {"Type": "host-gw"}}
7) 啟動flanneld服務
[root@zsf7-21 etcd]# supervisorctl update
flanneld-7-21: added process group
[root@zsf7-21 flanneld]# supervisorctl status
etcd-server-7-21 RUNNING pid 7699, uptime 5 days, 22:07:35
flanneld-7-21 RUNNING pid 36035, uptime 0:01:34
8) 另外一臺機器上同樣的操作進行一遍
在這裡不囉嗦
9) 驗證是否能跨主機通訊
我們在上面驗證叢集是否正常的時候,建立了一個DaemonSet
的資源,現在我們測試下他們之間能不能跨主機通訊
[root@zsf7-21 flannel]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
test-nginx-lm7l8 1/1 Running 0 5h 172.7.22.2 zsf7-22.host.com <none> <none>
test-nginx-wpwz9 1/1 Running 0 5h 172.7.21.2 zsf7-21.host.com <none> <none>
[root@zsf7-21 test]# curl -i 172.7.22.2
HTTP/1.1 200 OK
Server: nginx/1.19.1
Date: Mon, 10 Aug 2020 07:45:38 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 07 Jul 2020 15:52:25 GMT
Connection: keep-alive
ETag: "5f049a39-264"
......
正常請求,然後我們進去到pod中去請求測試是否正常
[root@zsf7-21 test]# kubectl exec -it test-nginx-wpwz9 bash
root@test-nginx-wpwz9:/# curl -i 172.7.22.2
HTTP/1.1 200 OK
Server: nginx/1.19.1
Date: Mon, 10 Aug 2020 07:46:53 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 07 Jul 2020 15:52:25 GMT
Connection: keep-alive
ETag: "5f049a39-264"
然後我們檢視22 機器上的nginx日誌
[root@zsf7-21 test]# kubectl logs test-nginx-lm7l8
10.4.7.21 - - [10/Aug/2020:07:45:38 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0" "-"
10.4.7.21 - - [10/Aug/2020:07:46:53 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-"
10) flanneld 網路優化
可以看出來,我們在pod裡面請求的nginx但是日誌裡面記錄的還是宿主機上面的IP地址,這是我們不想看到的,造成這個問題的原因是:
[root@zsf7-21 test]# iptables-save | grep POSTROUTING
-A POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE
這個防火牆的規則就是,源地址是172.7.21.0/24,不是從docker0網絡卡出去的都進行nat地址轉換
我們這邊想讓docker 之間訪問不進行net地址轉換,那麼我們就要做如下操作
[root@zsf7-21 test]# yum install iptables-services -y
[root@zsf7-21 test]# iptables -t nat -D POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE //刪除一個規則
[root@zsf7-21 test]# iptables -t nat -I POSTROUTING -s 172.7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j MASQUERADE //源地址是172.7.21.0/24,目的地址不是172.7.0.0/16,和不是從docker0網絡卡出去的都進行net地址轉換
[root@zsf7-21 test]# iptables-save |grep -i postrouting
:POSTROUTING ACCEPT [5:302]
:KUBE-POSTROUTING - [0:0]
-A POSTROUTING -s 172.7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j MASQUERADE
[root@zsf7-21 test]# iptables-save > /etc/sysconfig/iptables //儲存當前規則
再次請求,檢視pod之間訪問是不是不進行地址轉換了
[root@zsf7-21 test]# kubectl logs test-nginx-lm7l8
10.4.7.21 - - [10/Aug/2020:07:45:38 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0" "-"
10.4.7.21 - - [10/Aug/2020:07:46:53 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-"
172.7.21.2 - - [10/Aug/2020:07:59:04 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-"
部署CoreDns 外掛
1, 通過k8s資源部署CoreDNS
下面的yaml檔案是在kubernetes 官方的github裡面找的,然後根據自己的實際情況進行改改,其他的外掛也可以類比這個來進行操作,地址為: https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/dns/coredns/coredns.yaml.base
1)建立RBAC認證
mkdir coredns
cd coredns
vim coredns-rbac.yml
apiVersion: v1
kind: ServiceAccount
metadata:
name: coredns
namespace: kube-system
labels:
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: Reconcile
name: system:coredns
rules:
- apiGroups:
- ""
resources:
- endpoints
- services
- pods
- namespaces
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
addonmanager.kubernetes.io/mode: EnsureExists
name: system:coredns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:coredns
subjects:
- kind: ServiceAccount
name: coredns
namespace: kube-system
2)建立configMap 配置檔案
官方參考文件地址:https://kubernetes.io/zh/docs/tasks/administer-cluster/dns-custom-nameservers/
vim coredns-cm.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
data:
Corefile: |
.:53 {
errors
log
health {
lameduck 5s
}
ready
kubernetes cluster.local 192.168.0.0/16
prometheus :9153
forward . 10.4.7.11
cache 30
loop
reload
loadbalance
}
- prometheus: 提供給prometheus 監控的埠
3)建立deployment 配置檔案,啟動coredns
vim coredns-dm.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: coredns
namespace: kube-system
labels:
k8s-app: coredns
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
kubernetes.io/name: "CoreDNS"
spec:
selector:
matchLabels:
k8s-app: coredns
template:
metadata:
labels:
k8s-app: coredns
annotations:
seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec:
priorityClassName: system-cluster-critical
serviceAccountName: coredns
containers:
- name: coredns
image: harbor.zsf.com/public/coredns:v1.6.1
args:
- -conf
- /etc/coredns/Corefile
volumeMounts:
- name: config-volume
mountPath: /etc/coredns
ports:
- containerPort: 53
name: dns
protocol: UDP
- containerPort: 53
name: dns-tcp
protocol: TCP
- containerPort: 9153
name: metrics
protocol: TCP
livenessProbe:
httpGet:
path: /health
port: 8080
scheme: HTTP
initialDelaySeconds: 60
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
dnsPolicy: Default
volumes:
- name: config-volume
configMap:
name: coredns
items:
- key: Corefile
path: Corefile
4) 建立svc
vim coredns-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: coredns
namespace: kube-system
labels:
k8s-app: coredns
kubernetes.io/cluster-service: "true"
kubernetes.io/name: "CoreDNS"
spec:
selector:
k8s-app: coredns
clusterIP: 192.168.0.2
ports:
- name: dns
port: 53
protocol: UDP
- name: dns-tcp
port: 53
- name: metrics
port: 9153
protocol: TCP
5) 製作映象上傳映象
[root@zsf7-21 ~]# docker pull coredns/coredns:1.6.1
[root@zsf7-21 ~]# docker tag c0f6e815079e harbor.zsf.com/public/coredns:v1.6.1
6) 建立服務
kubectl create -f coredns-rbac.yml
kubectl create -f coredns-cm.yaml
kubectl create -f coredns-dm.yaml
kubectl create -f coredns-svc.yaml
7) 檢視DNS是否解析成功
[root@zsf7-21 coredns]# dig -t A zsf7-21.host.com @192.168.0.2 +short
10.4.7.21
[root@zsf7-21 coredns]# dig -t A kubernetes.default.svc.cluster.local. @192.168.0.2 +short
192.168.0.1
安裝ingress控制器traefik
1) 製作traefik映象
[root@zsf7-21 ~]# docker pull traefik:v1.7.2-alpine
[root@zsf7-21 test]# docker tag traefik:v1.7.2-alpine harbor.zsf.com/public/traefik:v1.7.2-alpine
[root@zsf7-21 test]# docker push harbor.zsf.com/public/traefik:v1.7.2-alpine
2) 建立traefik rbac 授權檔案
一下所有檔案都是從github上找到,針對實際情況進行更改:https://github.com/containous/traefik/tree/v1.7/examples/k8s
vim traefik-rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
3) 建立DaemonSet檔案
vim traefik-ds.yml
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
selector:
matchLabels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: harbor.zsf.com/public/traefik:v1.7.2-alpine
name: traefik-ingress-lb
ports:
- name: controller
containerPort: 80
hostPort: 81
- name: admin-web
containerPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --kubernetes
- --logLevel=INFO
- --insecureskipverify=true
- --kubernetes.endpoint=https://10.4.7.10:7443
- --accesslog
- --accesslog.filepath=/var/log/traefik_access.log
- --traefiklog
- --traefiklog.filepath=/var/log/traefik.log
- --metrics.prometheus
4) 建立service yaml檔案
vim traefik-svc.yml
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: controller
- protocol: TCP
port: 8080
name: admin-web
5) 建立ingress yaml檔案
vim traefik-ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
rules:
- host: traefik.zsf.com
http:
paths:
- path: /
backend:
serviceName: traefik-ingress-service
servicePort: admin-web
- 啟動所有的yaml
- 在前端頁面上建立一個負載均衡器
upstream default_backend_traefik {
server 10.4.7.21:81 max_fails=3 fail_timeout=10s;
server 10.4.7.22:81 max_fails=3 fail_timeout=10s;
}
server {
server_name *.zsf.com;
location / {
proxy_pass http://default_backend_traefik;
proxy_set_header Host $http_host;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
}
}
- 新增DNS解析
安裝 dashboard
和上面安裝外掛一樣,我們首先先去github上找人家官方寫的yaml檔案,然後我們借鑑下:https://github.com/kubernetes/kubernetes/tree/release-1.15/cluster/addons/dashboard
1)製作dashboard 映象
[root@zsf7-21 opt]# docker pull k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
官方配置檔案裡面寫的映象地址我們在國內並不能正常拉去,我們需要替換成下面這個去拉取
[root@zsf7-21 opt]# docker pull registry.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
[root@zsf7-21 opt]# docker tag registry.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1 harbor.zsf.com/public/kubernetes-dashboard-amd64:v1.10.1
[root@zsf7-21 opt]# docker push harbor.zsf.com/public/kubernetes-dashboard-amd64:v1.10.1
2)建立rbac 授權檔案
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard
namespace: kube-system
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
3) 建立deployment 檔案
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ''
seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
spec:
priorityClassName: system-cluster-critical
containers:
- name: kubernetes-dashboard
image: harbor.zsf.com/public/kubernetes-dashboard-amd64:v1.10.1
env:
- name: ACCEPT_LANGUAGE
value: english
resources:
limits:
cpu: 100m
memory: 300Mi
requests:
cpu: 50m
memory: 100Mi
ports:
- containerPort: 8443
protocol: TCP
args:
# PLATFORM-SPECIFIC ARGS HERE
- --auto-generate-certificates
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
- name: tmp-volume
mountPath: /tmp
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
在這個裡面我添加了如下一段內容,
env:
- name: ACCEPT_LANGUAGE
value: english
這段內容是讓你的 dashboard 面板是用英文顯示,要不然它會根據你的系統語言來進行選擇,我建議還是使用英文,因為中文是真的看不懂啊。
4) 建立svc
apiVersion: v1
kind: Service
metadata:
name: kubernetes-dashboard
namespace: kube-system
labels:
k8s-app: kubernetes-dashboard
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile
spec:
selector:
k8s-app: kubernetes-dashboard
ports:
- port: 443
targetPort: 8443
5) 建立配置配置檔案
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
# Allows editing resource and makes sure it is created first.
addonmanager.kubernetes.io/mode: EnsureExists
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque
---
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
# Allows editing resource and makes sure it is created first.
addonmanager.kubernetes.io/mode: EnsureExists
name: kubernetes-dashboard-key-holder
namespace: kube-system
type: Opaque
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
k8s-app: kubernetes-dashboard
# Allows editing resource and makes sure it is created first.
addonmanager.kubernetes.io/mode: EnsureExists
name: kubernetes-dashboard-settings
namespace: kube-system
6) 建立ingress
vim traefik-ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kubernetes-dashboard
namespace: kube-system
spec:
rules:
- host: k8s-dashboard.zsf.com
http:
paths:
- path: /
backend:
serviceName: kubernetes-dashboard
servicePort: 443
7) 配置 nginx
因為 dashboard 需要 https 訪問,我們後端用 http ,那麼在前端頁面上就要配置一個 https 的反向代理,否則頁面能正常訪問,但是沒有辦法驗證 tokne 不能正常登入
upstream https_default_backend_traefik {
server 192.168.4.74:81 max_fails=3 fail_timeout=10s;
server 192.168.4.75:81 max_fails=3 fail_timeout=10s;
server 192.168.4.76:81 max_fails=3 fail_timeout=10s;
}
server {
server_name *.zsf.com;
listen 443 ssl;
ssl_certificate /etc/nginx/conf.d/certs/zsf.com.pem;
ssl_certificate_key /etc/nginx/conf.d/certs/zsf.com-key.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
proxy_pass http://https_default_backend_traefik;
proxy_set_header Host $http_host;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
}
}
上面的證書可以自己生成,也可以使用公司的證書
8) 新增 DNS 解析記錄
9) 測試訪問
https://k8s-dashboard.zsf.com/#!/login
我們這邊選擇 token 登入,那麼我們就需要去建立一個賬戶,然後獲取他的 token
10) 建立授權使用者,獲取 token
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
獲取 token
$ kubectl describe -n kube-system secrets $(kubectl get -n kube-system secrets | awk '$1~/admin-user/{print $1}' )
Name: admin-user-token-jtq8f
Namespace: kube-system
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: 2f6ff8c2-9cf1-4b4a-b8c6-73cf5367ae5b
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1326 bytes
namespace: 11 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLWp0cThmIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIyZjZmZjhjMi05Y2YxLTRiNGEtYjhjNi03M2NmNTM2N2FlNWIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.LdPnfwKvxLeYLfcS1BZDY1ubY5GUlEOThsxct6AcQnTuQfn7iN6wViLhTqTsUowmMswIl1tkaIGdPmFG4i9nJCEz0Hu9-veGnPy_pWUJtNjM5IJgqeQef2whzLJLcPSbSMYSiNTz_P9QhtMON92ujhvIq-cM9lSXXp6GmPctBqiNASJM0A_y7F_oxa8Q_ccfT83AdO4OZVcrMoz32YLJIxaPtqw7wLEbP8QgDEp2Gonq51Qb_uH__PC4rLE7CCXajVeo4zkqGE8_0ASopZ36C8ZNkujR6oCEmH3XkEwJ6FI3kTjrlMUZTsGf2UZn1N44rs1uql0D8EdhwsTnYRsp5A
然後拿到獲取的 token 去登入頁面,