一鍵部署利器 Kubeadm 搭建 Kubernetes

準(zhǔn)備工作

阿里云買兩臺(tái) ECS,至少 2 核 4G 要求,用來(lái)臨時(shí)學(xué)習(xí),一周時(shí)間即可,便宜點(diǎn)的差不多單臺(tái)一周 30 元左右。

安裝 Docker

sudo yum install -y yum-utils
sudo yum-config-manager \
    --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install docker-ce docker-ce-cli containerd.io
sudo systemctl start docker

docker -v

加載 Kubernetes 所需鏡像

由于網(wǎng)絡(luò)問(wèn)題,這里使用阿里云鏡像下載,然后利用 docker tag 來(lái)重新命名為 Kubernetes 默認(rèn)鏡像名稱。

docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.19.0
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.19.0
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.19.0
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.19.0
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.4.9-1
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.7.0

docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.19.0 k8s.gcr.io/kube-apiserver:v1.19.0
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.19.0 k8s.gcr.io/kube-controller-manager:v1.19.0
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.19.0 k8s.gcr.io/kube-scheduler:v1.19.0
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.19.0 k8s.gcr.io/kube-proxy:v1.19.0
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2 k8s.gcr.io/pause:3.2
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.4.9-1 k8s.gcr.io/etcd:3.4.9-1
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.7.0 k8s.gcr.io/coredns:1.7.0

安裝 kubeadm

kubeadm 是 Kubernetes 的一鍵部署利器,方便用來(lái)學(xué)習(xí),首先需要在兩個(gè)節(jié)點(diǎn)都安裝 kubeadm、kubectl、kubelet 這三個(gè)二進(jìn)制文件,由于上面下載的鏡像是 v1.19.0 版本的,所以安裝時(shí)請(qǐng)務(wù)必指定版本號(hào)。

# 添加阿里云倉(cāng)庫(kù)
cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

# Set SELinux in permissive mode (effectively disabling it)
sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

# 這里切記指定版本號(hào)
sudo yum install -y kubelet-1.19.0 kubeadm-1.19.0 kubectl-1.19.0 --disableexcludes=kubernetes
sudo systemctl enable --now kubelet

安裝成功后,可以查看其版本信息:

[root@kube002 ~]# kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.0", GitCommit:"e19964183377d0ec2052d1f1fa930c4d7575bd50", GitTreeState:"clean", BuildDate:"2020-08-26T14:28:32Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}

[root@kube002 ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.0", GitCommit:"e19964183377d0ec2052d1f1fa930c4d7575bd50", GitTreeState:"clean", BuildDate:"2020-08-26T14:30:33Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}

kubeadm init

使用 kubeadm init 來(lái)部署 Master 節(jié)點(diǎn),執(zhí)行后,會(huì)首先做一系列的檢查工作 Running pre-flight checks

  • --kubernetes-version 指定版本號(hào)
  • --pod-network-cidr 指定 Pod 的地址段
  • --service-cidr 指定 Service 的地址段
kubeadm init --kubernetes-version=v1.19.0 --pod-network-cidr=10.244.0.0/16 --service-cidr=10.96.0.0/12

[init] Using Kubernetes version: v1.19.0
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
......
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
......
[mark-control-plane] Marking the node kube001 as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node kube001 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
......
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 172.24.251.196:6443 --token gopfsz.5r5pp10ppen86xrv \
    --discovery-token-ca-cert-hash sha256:ea1f97ae7ff9364f2efbc4aad55d3e084a511f05ce46e2c730880c723b72ecea

大家可以詳細(xì)的去看下 kubeadm init 安裝時(shí)輸出的日志,里面有非常多的重要信息。

其中下面這段信息會(huì)在部署 Worker 節(jié)點(diǎn)時(shí)用到。

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

kubeadm join

kubeadm init 會(huì)生成一個(gè) token,可以在任意一臺(tái)安裝了 kubeadm、kubelet、kubectl 的機(jī)器上執(zhí)行 kubeadm join。作為 Worker 節(jié)點(diǎn)加入 Kubernetes 集群。

kubeadm join 172.24.251.196:6443 --token gopfsz.5r5pp10ppen86xrv \
    --discovery-token-ca-cert-hash sha256:ea1f97ae7ff9364f2efbc4aad55d3e084a511f05ce46e2c730880c723b72ecea

>     --discovery-token-ca-cert-hash sha256:ea1f97ae7ff9364f2efbc4aad55d3e084a511f05ce46e2c730880c723b72ecea
[preflight] Running pre-flight checks
    [WARNING Service-Docker]: docker service is not enabled, please run 'systemctl enable docker.service'
    [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

將 master 節(jié)點(diǎn)上的 /etc/kubernetes/admin.conf 文件 copy 至 Worker 節(jié)點(diǎn)的相同目錄下,然后執(zhí)行一下命令:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

kube-apiserver.yaml

以上執(zhí)行完成后,在 Worker 節(jié)點(diǎn)運(yùn)行 kubectl get nodes 時(shí)會(huì)報(bào)錯(cuò),此時(shí)需要去 master 節(jié)點(diǎn)修改 apiserver 的參數(shù) --insecure-port,繞過(guò)身份認(rèn)證和鑒權(quán)模塊,默認(rèn)值為 0。

spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=172.24.251.196
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --insecure-port=8080

kubectl get nodes

kubectl get nodes 獲取 Node 節(jié)點(diǎn)信息,會(huì)發(fā)現(xiàn)其狀態(tài)都處于 NotReady:

[root@kube002 ~]# kubectl get nodes
NAME      STATUS     ROLES    AGE     VERSION
kube001   NotReady   master   9m13s   v1.19.0
kube002   NotReady   <none>   4m52s   v1.19.0

通過(guò) kubectl describe node kube001 會(huì)出現(xiàn)如下的錯(cuò)誤信息提示,意思是 CNI 插件還未安裝,這里選擇安裝的網(wǎng)絡(luò)插件是 Flannel。

KubeletNotReady 
runtime network not ready: 
NetworkReady=false 
reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized

安裝 Flannel 網(wǎng)絡(luò)插件

網(wǎng)絡(luò)可能存在 DNS 污染,如果訪問(wèn)不了下面的網(wǎng)址,可以前去修改 hosts 配置,執(zhí)行如下命令即可:

cat >> /etc/hosts <<EOF
199.232.96.133 raw.githubusercontent.com
EOF

由于 Kubernetes 一切皆容器的設(shè)計(jì),所以插件的安裝也非常方便:

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

[root@kube001 ~]# kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
podsecuritypolicy.policy/psp.flannel.unprivileged created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.apps/kube-flannel-ds created

執(zhí)行成功后,可在任意節(jié)點(diǎn)執(zhí)行如下命令,看到 Matser 節(jié)點(diǎn)和 Worker 節(jié)點(diǎn)都處于 Ready 狀態(tài)了。

[root@kube002 ~]# kubectl get nodes
NAME      STATUS   ROLES    AGE   VERSION
kube001   Ready    master   15m   v1.19.0
kube002   Ready    <none>   11m   v1.19.0

kubectl taint nodes

由于 Master 節(jié)點(diǎn)默認(rèn)是不允許被調(diào)度運(yùn)行創(chuàng)建 Pod 的,其功能是通過(guò)打標(biāo)簽實(shí)現(xiàn)的,現(xiàn)在測(cè)試的話,可以允許在 Master 上創(chuàng)建 Pod,所以可以執(zhí)行以下命令去除 Master 節(jié)點(diǎn)的污點(diǎn)。

kubectl taint nodes --all node-role.kubernetes.io/master-

安裝 Dashboard

上面就已經(jīng)成功的把 Kubernetes 平臺(tái)安裝成功了,大家可以去查詢一些基礎(chǔ)命令去執(zhí)行下,看下詳細(xì)的輸出;下面來(lái)安裝下 Kubernetes 的 UI 控制界面,首先是把 Dashboard 的 YML 文件下載到本地,因?yàn)橐獙?duì)其中的端口映射,和權(quán)限信息進(jìn)行修改。

curl https://raw.githubusercontent.com/kubernetes/dashboard/v2.2.0/aio/deploy/recommended.yaml >> /opt/dashboard.yml

具體修改的地方如下,大家可以搜索到替換,第一處是為了能在外網(wǎng)訪問(wèn) Dashboard UI,所以要將 Service 的 type 修改為 NodePort,然后指定要暴露的端口 nodePort: 30000。(別忘記去給 ECS 添加安全組端口)

kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30000
  selector:
    k8s-app: kubernetes-dashboard
  type: NodePort

第二處是修改默認(rèn)的用戶 kubernetes-dashboard 的角色,這里直接使用 Kubernetes 內(nèi)置的最大管理員,生產(chǎn)中切記不可這樣做,需要更細(xì)粒度的去控制每個(gè)賬號(hào)的權(quán)限。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubernetes-dashboard
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  # k8s 默認(rèn)的
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard

然后通過(guò) kubectl apply -f 創(chuàng)建并運(yùn)行:

[root@kube002 ~]# kubectl apply -f /opt/dashboard.yml 
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created

獲取登錄 Token

https://ip:30000 注意要是用 https 訪問(wèn)

每個(gè)賬號(hào)都會(huì)生成對(duì)應(yīng)的 token,用來(lái)授權(quán)登錄:

[root@kube002 ~]# kubectl get secret -n kubernetes-dashboard
NAME                               TYPE                                  DATA   AGE
default-token-fl6wt                kubernetes.io/service-account-token   3      72s
kubernetes-dashboard-certs         Opaque                                0      72s
kubernetes-dashboard-csrf          Opaque                                1      72s
kubernetes-dashboard-key-holder    Opaque                                2      72s
kubernetes-dashboard-token-qsktp   kubernetes.io/service-account-token   3      72s

查看 token:

[root@kube002 ~]# kubectl describe secret kubernetes-dashboard-token-qsktp -n kubernetes-dashboard
Name:         kubernetes-dashboard-token-qsktp
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: kubernetes-dashboard
              kubernetes.io/service-account.uid: 8444c0a6-3712-4c33-a926-6ddee6f6dfad

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1066 bytes
namespace:  20 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6ImQ5NlJoSHpjSEwtZ2djVU1Idy05YTh2UFpmTE03bzBsQ29scGJ6cXRxbEUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1xc2t0cCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6Ijg0NDRjMGE2LTM3MTItNGMzMy1hOTI2LTZkZGVlNmY2ZGZhZCIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.nIp2VQYAup13_klFqgFaBVaekH5WCQ2FSZY4qaP5aggw5UrYlCXfsgMnam_TJd5m5J0ZfOeGOpm3HfhcF3PglZvdZwiR5QAeBolQLFyr38MSavyiZ15z3m7iLHEnaDXFPYc4Zz9lrRJDMrmHDSz7Kpu5Ncjwxcm-tIPsn6ymtHltkkiN88qYMKJ1PplCajE-pOkTJUg5Vybb11ZDTxEkEKWP44T6-WNLNa-jA9RsHFu7p7kXfwnnhGjEE0V0CS3hpXQK4RusWsUh-WFh1zCWc5-Vx8bGOA_UeTcuma2s8do9lt7jx_Bc94JzCadyQtRSbSVpY2Ets4zXl7A29DZtrw

登錄成功后的界面:

卸載重建集群

kubeadm reset
rm -rf $HOME/.kube

~ END ~。

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書(shū)系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。
禁止轉(zhuǎn)載,如需轉(zhuǎn)載請(qǐng)通過(guò)簡(jiǎn)信或評(píng)論聯(lián)系作者。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容