通过 kubeadm 安装,kubernetes CHANGELOG:https://github.com/kubernetes/kubernetes/releases
一、安装 docker(所有节点)
这里使用 Docker 作为运行时环境,安装参考:https://www.cnblogs.com/jhxxb/p/11410816.html
安装完成后需要进行一些配置:https://kubernetes.io/zh/docs/setup/production-environment/container-runtimes/#docker
二、安装 kubeadm(所有节点)
https://developer.aliyun.com/mirror/kubernetes
https://kubernetes.io/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm
准备
# 关闭防火墙 sudo systemctl stop firewalld.service sudo systemctl disable firewalld.service # 阿里 yum 源 sudo mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup sudo curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo sudo sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo yum makecache # 将 SELinux 设置为 permissive 模式(相当于将其禁用) sudo setenforce 0 sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config # 关闭 swap,swap 为 0 sudo sed -ri 's/.*swap.*/#&/' /etc/fstab sudo swapoff -a free -g # 允许 iptables 检查桥接流量 cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf br_netfilter EOF cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF sudo sysctl --system
安装
# 添加阿里云 YUM 源,安装 kubeadm,kubelet 和 kubectl sudo bash -c 'cat << EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg exclude=kubelet kubeadm kubectl EOF' # 安装 sudo yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes # 开机启动,sudo systemctl enable kubelet && sudo systemctl start kubelet sudo systemctl enable --now kubelet # 查看 kubelet 状态 systemctl status kubelet kubelet --version # 重新启动 kubelet sudo systemctl daemon-reload sudo systemctl restart kubelet
三、使用 kubeadm 安装 Kubernetes(Master 安装,其它节点加入)
https://kubernetes.io/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm
Master 节点初始化安装 kubernetes
init 参数:https://kubernetes.io/zh/docs/reference/setup-tools/kubeadm/kubeadm-init
这里 https://github.com/zhangguanzhang/google_containers 提供了 google_containers 国内的镜像地址:registry.aliyuncs.com/k8sxio
确保主机名不是 localhost,并且已经写入到 /etc/hosts 文件,且可以 ping 通
# --apiserver-advertise-address 的值换成 Master 主机 IP # 不指定 --kubernetes-version 默认会从 https://dl.k8s.io/release/stable-1.txt 获取最新版本号 sudo kubeadm init \ --apiserver-advertise-address=10.70.19.33 \ --image-repository registry.aliyuncs.com/google_containers \ --service-cidr=10.96.0.0/16 \ --pod-network-cidr=192.168.0.0/16
初始化过程中若下载失败,可暂时下载 latest,然后打 tag,例如 coredns:v1.8.4
# 查看所需镜像 kubeadm config images list docker pull registry.aliyuncs.com/google_containers/coredns docker tag registry.aliyuncs.com/google_containers/coredns:latest registry.aliyuncs.com/google_containers/coredns:v1.8.4
初始化好后按照提示执行:https://kubernetes.io/zh/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#更多信息
Master 节点安装 Pod 网络
集群只能安装一个 Pod 网络,通过 kubectl get pods --all-namespaces 检查 CoreDNS Pod 是否 Running 来确认其是否正常运行。一旦 CoreDNS Pod 启用并运行,就让 Node 可以加入 Master 了
# 主节点安装网络 # kubectl apply -f https://raw.githubusercontent.com/coreos/flanne/master/Documentation/kube-flannel.yml # calico 新版本 https://projectcalico.docs.tigera.io/getting-started/kubernetes/quickstart,安装 tigera-operator.yaml 和 custom-resources.yaml(需要修改 cidr,对应 kubeadm init 时的 --pod-network-cidr) kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml kubectl get ns # 查看所有名称空间的 pods # kubectl get pods --all-namespaces kubectl get pod -o wide -A # 查看指定名称空间的 pods kubectl get pods -n kube-system
允许 Master 点部署 Pod(可选)
# 允许 Master 节点部署 Pod kubectl taint nodes --all node-role.kubernetes.io/master- # 如果不允许调度 kubectl taint nodes master1 node-role.kubernetes.io/master=:NoSchedule # 污点可选参数: # NoSchedule: 一定不能被调度 # PreferNoSchedule: 尽量不要调度 # NoExecute: 不仅不会调度, 还会驱逐 Node 上已有的 Pod
其它节点加入主节点
# 其它节点加入,token 会失效 sudo kubeadm join 10.70.19.33:6443 --token tqaitp.3imn92ur339n4olo --discovery-token-ca-cert-hash sha256:fb3da80b6f1dd5ce6f78cb304bc1d42f775fdbbdc80773ff7c59 # 如果超过 2 小时忘记了令牌 # 打印新令牌 kubeadm token create --print-join-command # 创建一个永不过期的令牌 kubeadm token create --ttl 0 --print-join-command # 主节点监控 pod 进度,等待 3-10 分钟,完全都是 running 以后继续 watch kubectl get pod -n kube-system -o wide # 等到所有的 status 都变为 running kubectl get nodes
到这里 K8s 集群就安装完成了,下面的不是必须步骤。
四、Kubernetes Dashboard
https://github.com/kubernetes/dashboard/tree/master/docs
安装
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.4.0/aio/deploy/recommended.yaml # 修改 type: ClusterIP 为 type: NodePort kubectl -n kubernetes-dashboard edit service kubernetes-dashboard # 查看 IP 和 Port,获取访问地址,这里为 https://<master-ip>:31707 kubectl -n kubernetes-dashboard get service kubernetes-dashboard # NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE # kubernetes-dashboard NodePort 10.100.124.90 <nodes> 443:31707/TCP 21h # 查看默认账户(ServiceAccount)绑定的权限(ClusterRoleBinding) kubectl edit ClusterRoleBinding kubernetes-dashboard -n kubernetes-dashboard # 修改 ClusterRole,让 kubernetes-dashboard 的权限和 cluster-admin 一样 kubectl edit ClusterRole cluster-admin -n kubernetes-dashboard kubectl edit ClusterRole kubernetes-dashboard -n kubernetes-dashboard # 获取默认账户 Token kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/kubernetes-dashboard -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}" kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep kubernetes-dashboard-token | awk '{print $1}')
安装监控:metrics-server
https://kubernetes.io/zh/docs/tasks/debug-application-cluster/resource-usage-monitoring
https://github.com/kubernetes-sigs/metrics-server
Kubernetes Dashboard 默认监控信息为空,安装 metrics-server,用来监控 pod、node 资源情况(默认只有 cpu、memory 的信息),并在 Kubernetes Dashboard 上显示,更多信息需要对接 Prometheus
# 测试环境,修改 yaml 文件,添加 --kubelet-insecure-tls,不验证客户端证书,修改镜像地址(也可下载后 tag 改名) kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml # 查看下日志,镜像下载可能会失败 kubectl get pods -A kubectl -n kube-system describe pod metrics-server-687dd7b749-vtgtt # 可使用其它代替,也可以修改 components.yaml 中的镜像地址 #docker pull bitnami/metrics-server:0.5.0 docker pull willdockerhub/metrics-server:v0.5.0 docker tag willdockerhub/metrics-server:v0.5.0 k8s.gcr.io/metrics-server/metrics-server:v0.5.0 # 安装好后查看 kubectl top nodes kubectl top pods
除了 Kubernetes Dashboard,还有其它 UI
kubesphere:https://kubesphere.io/zh/docs/quick-start/minimal-kubesphere-on-k8s,若安装过程中有 pod 一直无法启动,可看看是否为 etcd 监控证书找不到
# 证书在下面路径 # --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt # --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt # --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key # 创建证书: kubectl -n kubesphere-monitoring-system create secret generic kube-etcd-client-certs --from-file=etcd-client-ca.crt=/etc/kubernetes/pki/etcd/ca.crt --from-file=etcd-client.crt=/etc/kubernetes/pki/apiserver-etcd-client.crt --from-file=etcd-client.key=/etc/kubernetes/pki/apiserver-etcd-client.key # 创建后可以看到 kube-etcd-client-certs ps -ef | grep kube-apiserver