Ybond

准备工作

确保唯一

# 查看主机名
hostname
# 查看网络 
ip link
# 或
ifconfig -a
# 查看product_uuid
cat /sys/class/dmi/id/product_uuid

# 一般情况下都会有唯一地址

检查所需端口

控制平面节点
协议 方向 端口范围 作用 使用者
TCP 入站 6443 Kubernetes API 服务器 所有组件
TCP 入站 2379-2380 etcd 服务器客户端 API kube-apiserver, etcd
TCP 入站 10250 Kubelet API kubelet 自身、控制平面组件
TCP 入站 10251 kube-scheduler kube-scheduler 自身
TCP 入站 10252 kube-controller-manager kube-controller-manager 自身
工作节点
协议 方向 端口范围 作用 使用者
TCP 入站 10250 Kubelet API kubelet 自身、控制平面组件
TCP 入站 30000-32767 NodePort 服务† 所有组件
其他端口

10248

关闭swap

swapoff -a
sed -ri 's/.*swap.*/#&/' /etc/fstab

允许 iptables 检查桥接流量

cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
br_netfilter
EOF

cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sudo sysctl --system

将 SELinux 设置为 permissive 模式

# 将 SELinux 设置为 permissive 模式(相当于将其禁用)
sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

安装 kubeadm、kubelet 和 kubectl

你需要在每台机器上安装以下的软件包:

  • kubeadm:用来初始化集群的指令。
  • kubelet:在集群中的每个节点上用来启动 Pod 和容器等。
  • kubectl:用来与集群通信的命令行工具。

安装

cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
exclude=kubelet kubeadm kubectl
EOF

sudo yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes

sudo systemctl enable --now kubelet

无法从 /var/lib/rpm 打开软件包数据库

cd /var/lib/rpm
rm -rf __db.*
rpm --rebuilddb

使用kubeadm引导集群

下载各个机器需要的镜像

sudo tee ./images.sh <<-'EOF'
#!/bin/bash
images=(
kube-apiserver
kube-proxy
kube-controller-manager
kube-scheduler
coredns
etcd
pause
)
for imageName in ${images[@]} ;do
docker pull registry.aliyuncs.com/google_containers/$imageName
done
EOF

chmod +x ./images.sh && ./images.sh

初始化主节点

# 所有机器添加master域名映射,以下需要修改为自己的
echo "39.103.233.115 cluster-endpoint" >> /etc/hosts

#主节点初始化
kubeadm init \
--apiserver-advertise-address=39.103.233.115 \
--control-plane-endpoint=cluster-endpoint \
--image-repository registry.aliyuncs.com/google_containers \
--service-cidr=10.96.0.0/16 \
--pod-network-cidr=192.169.0.0/16

#所有网络范围不重叠

改配置

kubectl -n kube-system edit cm kubeadm-config

如果报错连不上容器

# 解决kubeadm init初始化时dial tcp 127.0.0.1:10248: connect: connection refused

vim /etc/docker/daemon.json

# 里面加一行
{"exec-opts": ["native.cgroupdriver=systemd"]}

# 重启
systemctl daemon-reload
systemctl restart docker
systemctl restart kubelet

# 重新初始化
kubeadm reset

# 再用上面的命令初始化

看到Your Kubernetes control-plane has initialized successfully!

说明初始化成功

保存初始化成功后面的信息,后面要用

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:

  kubeadm join cluster-endpoint:6443 --token aedzgz.zl1pio6oo06k7ajn \
        --discovery-token-ca-cert-hash sha256:eded5d6f262d427e9ef9df1e248e33ba08ec08d9bbceb6a45e6432851af65186 \
        --control-plane 

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join cluster-endpoint:6443 --token aedzgz.zl1pio6oo06k7ajn \
        --discovery-token-ca-cert-hash sha256:eded5d6f262d427e9ef9df1e248e33ba08ec08d9bbceb6a45e6432851af65186

重新创建令牌

kubeadm token create --print-join-command

在主节点运行

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

主节点安装网络插件

# 下载配置
curl https://docs.projectcalico.org/manifests/calico.yaml -O

# 前面初始化如果pod-network-cidr改了的话,这里配置也要改
- name: CALICO_IPV4POOL_CIDR
  value: "192.169.0.0/16"

# 添加
kubectl apply -f calico.yaml

部署dashboard

kubernetes官方提供的可视化界面

github地址 (opens new window)

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.4.0/aio/deploy/recommended.yaml

修改配置

kubectl edit svc kubernetes-dashboard -n kubernetes-dashboard

修改type:节点值改为NodePort

查看端口

kubectl get svc -A | grep kubernetes-dashboard

访问

https://任意集群ip:端口

创建访问账号

# 创建访问账号 vi dash.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard

kubectl apply -f dash.yaml

获取访问令牌

# 获取访问令牌
kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"