01 前言
最近k8s很火,相信大家都听过。那什么是k8s呢?Kubernetes狭义的说:它是一个开源的容器集群管理系统,可以实现容器集群的自动化部署、自动扩缩容、维护等功能。下面我们来测试一下搭建单节点k8s。
本文转自我个人的公众号:天目星 ,请大家多多关注。
一、使用的软件与架构图
linux:CentOS 7.5.1804
docker:docker-ce-18.09.1-3
kubectl:kubectl-1.14.1-0
kubelet:kubelet-1.14.1-0
kubeadm:kubeadm-1.14.1-0
二、安装
1、安装docker-ce
参考docker官网,如有旧版本请先卸载
https://docs.docker.com/install/linux/docker-ce/centos/
$ sudo yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine
安装yum的支持套件
$ sudo yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
添加docker官方仓库
$ sudo yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
使用yum安装docker
# 查询有哪些docker版本
$ yum list docker-ce --showduplicates | sort -r
# 选择k8s对应的docker版本安装
$ sudo yum install docker-ce-<VERSION_STRING>
# 我们使用的是k8s 1.14 ,建议安装docker 18.09
$ sudo yum install docker-ce-18.09.1
2、安装kubernetes 1.14
配置阿里云的yum源
cat >>/etc/yum.repos.d/kubernetes.repo <<EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
安装kubernetes套件
$ yum install -y kubelet-1.14.1 kubeadm-1.14.1 kubectl-1.14.1
使用kubeadm安装需要下载相关的镜像,可以使用以下命令查看
$ sudo kubeadm config images list
I0429 11:43:39.578349 10528 version.go:96] could not fetch
a Kubernetes version from the internet: unable to
get URL "https://dl.k8s.io/release/stable-1.txt":
Get https://dl.k8s.io/release/stable-1.txt: net/http:
request canceled while waiting for connection
(Client.Timeout exceeded while awaiting headers)
I0429 11:43:39.578484 10528 version.go:97] falling back to the local client version: v1.14.1
k8s.gcr.io/kube-apiserver:v1.14.1
k8s.gcr.io/kube-controller-manager:v1.14.1
k8s.gcr.io/kube-scheduler:v1.14.1
k8s.gcr.io/kube-proxy:v1.14.1
k8s.gcr.io/pause:3.1
k8s.gcr.io/etcd:3.3.10
k8s.gcr.io/coredns:1.3.1
如果没有使用科学上网,是无法下载google的镜像。所以我在docker hub提供了镜像,你们使用以下脚本下载。
#!/bin/bash
set -e
KUBE_VERSION=v1.14.1
KUBE_PAUSE_VERSION=3.1
DASHBOARD_VERSION=v1.10.1
ETCD_VERSION=3.3.10
CORE_DNS_VERSION=1.3.1
GCR_URL=k8s.gcr.io
LUN_URL=docker.io/temmokustar
images=(kube-proxy:${KUBE_VERSION}
kube-scheduler:${KUBE_VERSION}
kube-controller-manager:${KUBE_VERSION}
kube-apiserver:${KUBE_VERSION}
kubernetes-dashboard-amd64:${DASHBOARD_VERSION}
pause:${KUBE_PAUSE_VERSION}
etcd:${ETCD_VERSION}
coredns:${CORE_DNS_VERSION})
for imageName in ${images[@]};do
docker pull $LUN_URL/$imageName
docker tag $LUN_URL/$imageName $GCR_URL/$imageName
docker rmi $LUN_URL/$imageName
done
下载所需镜像
$ bash kubeadm_img_download.sh
安装kubernetes
注意:此命令只适合测试环境使用
$ kubeadm init --kubernetes-version=v1.14.1 \
--pod-network-cidr=192.168.0.0/16
排错环节:使用以上的命令安装报以下的错误
[WARNING Service-Docker]: docker service is not enabled, please run 'systemctl enable docker.service'
原因:docker没有配置开机启动,直接使用 systemctl enabled docker.service
[WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver.
The recommended driver is "systemd". Please follow the guide at
https://kubernetes.io/docs/setup/cri/
原因:docker的默认驱动使用"cgroupfs",而k8s推荐的驱动是"systemd",我们增加以下配置即可。
$ vim /etc/docker/daemon.json
### daemon.json ###
{
"exec-opts": ["native.cgroupdriver=systemd"]
}
[ERROR NumCPU]: the number of available CPUs 1 is less than the required 2
原因:可用的cpu颗数少于2个,修改一下vm的cpu核数>1
[ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: \
/proc/sys/net/bridge/bridge-nf-call-iptables contents are not set to 1
原因:需要设置二层网桥转发过滤,增加以下文件即可
$ cat >> /etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
[ERROR Swap]: running with swap on is not supported. Please disable swap
原因:默认不使用swap,可以使用"swapoff -a"或者修改"/etc/sysconfig/kubelet"
$ cat >/etc/sysconfig/kubelet<<EOF
KUBELET_EXTRA_ARGS=--fail-swap-on=false
EOF
如没有修改swapall出现安装失败的问题,可以使用以下命令reset
[WARNING Swap]: running with swap on is not supported. Please disable swap
error execution phase preflight: [preflight] Some fatal errors occurred:
[ERROR Port-6443]: Port 6443 is in use
[ERROR Port-10251]: Port 10251 is in use
[ERROR Port-10252]: Port 10252 is in use
[ERROR FileAvailable--etc-kubernetes-manifests-kube-apiserver.yaml]:
/etc/kubernetes/manifests/kube-apiserver.yaml already exists
[ERROR FileAvailable--etc-kubernetes-manifests-kube-controller-manager.yaml]:
/etc/kubernetes/manifests/kube-controller-manager.yaml already exists
[ERROR FileAvailable--etc-kubernetes-manifests-kube-scheduler.yaml]:
/etc/kubernetes/manifests/kube-scheduler.yaml already exists
[ERROR FileAvailable--etc-kubernetes-manifests-etcd.yaml]:
/etc/kubernetes/manifests/etcd.yaml already exists
[ERROR Port-10250]: Port 10250 is in use
[ERROR Port-2379]: Port 2379 is in use
[ERROR Port-2380]: Port 2380 is in use
[ERROR DirAvailable--var-lib-etcd]:
/var/lib/etcd is not empty
使用命令回滚
$ kubeadm reset
[reset] Are you sure you want to proceed? [y/N]: y
重新使用安装命令
# 未关闭swap
$ kubeadm init --kubernetes-version=v1.14.1 \
--pod-network-cidr=192.168.0.0/16 \
--ignore-preflight-errors=Swap
# 关闭swap
$ kubeadm init --kubernetes-version=v1.14.1 \
--pod-network-cidr=192.168.0.0/16
安装完毕
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.159.20:6443 --token 2y6zki.nal9wmjyepftfopr \
--discovery-token-ca-cert-hash sha256:cd6a642f1d5fbc194facbed2c64885bdf34d0f737d77ea906e4f74801946657d
默认配置
$ mkdir -p $HOME/.kube
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
查看节点的情况
$ kubectl get componentstatus
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-0 Healthy {"health":"true"}
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
node1 NotReady master 35m v1.14.1
配置网络
kubernetes常用的网络模型有Flannel、Weave、OpenVSwitch、Calico等。我们选用Calico来配置。
Calico:使用三层网络模型,用BGP为每个Pod提供了简单的,可扩展的,分布式的、安全的虚拟网络。另外Calico可以几乎与所有的云平台兼容。
# 查看k8s的角色
$ kubectl get pod -n kube-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE
coredns-fb8b8dccf-56smx 0/1 Pending 0 20m <none> <none>
coredns-fb8b8dccf-6dzng 0/1 Pending 0 20m <none> <none>
etcd-node1 1/1 Running 0 19m 192.168.159.20 node1
kube-apiserver-node1 1/1 Running 0 19m 192.168.159.20 node1
kube-controller-manager-node1 1/1 Running 0 19m 192.168.159.20 node1
kube-proxy-t5snk 1/1 Running 0 20m 192.168.159.20 node1
kube-scheduler-node1 1/1 Running 0 20m 192.168.159.20 node1
未安装网络插件,所以coredns没有起来。
开始安装calico
$ kubectl apply -f \
https://docs.projectcalico.org/v3.6/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml
稍等片刻,再使用get命令查询是否ok
$ kubectl get pod -n kube-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE
calico-node-fpcwh 1/1 Running 0 4m23s 192.168.159.20 node1
coredns-fb8b8dccf-56smx 1/1 Running 0 31m 10.1.0.2 node1
coredns-fb8b8dccf-6dzng 1/1 Running 0 31m 10.1.0.3 node1
etcd-node1 1/1 Running 0 30m 192.168.159.20 node1
kube-apiserver-node1 1/1 Running 0 30m 192.168.159.20 node1
kube-controller-manager-node1 1/1 Running 0 30m 192.168.159.20 node1
kube-proxy-t5snk 1/1 Running 0 31m 192.168.159.20 node1
kube-scheduler-node1 1/1 Running 0 31m 192.168.159.20 node1
master节点默认不参与node节点的工作,此例是单机,所有需要开启此功能。
# MasterHostname是master节点名称
$ kubectl taint node <MasterHostname> node-role.kubernetes.io/master-
# 取消此功能请使用
$ kubectl taint node <MasterHostname> node-role.kubernetes.io/master=""
小技巧:kubectl 命令太多了,我们可以利用"bash-completion"包来命令补全。
$ yum install bash-completion
使用此命令即时生效,无效重启
$ source /usr/share/bash-completion/bash_completion
载入kubectl补全
$ source <(kubectl completion bash)
写入bashrc文件,使此用户永久生效
$ echo "source <(kubectl completion bash)" >> ~/.bashrc
测试部署一个对象
$ kubectl create deployment nginx --image nginx
$ kubectl get deployment
NAME READY UP-TO-DATE AVAILABLE AGE
nginx 1/1 1 1 22m
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-5bc6fc8b66-tnnqn 1/1 Running 0 23m
安装Web UI (Dashboard)
官方文档:https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
# 新增插件
$ kubectl apply -f \
https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml
访问Web UI的方式
方法一
# 使用proxy,使用此方式默认只允许本机登陆
$ kubectl proxy
# 登录网址
http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
方法二
# 使用NodePort,需要修改service
$ kubectl -n kube-system edit service kubernetes-dashboard
#
将里面的"type: ClusterIP"修改为"type: NodePort"
#
# 查询开放的ip地址
kubectl -n kube-system get service kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.1.0.28 <none> 443:32316/TCP 1h
# 登录网址
https://<cluster-ip>:32316
方法三
# 使用API Server,需要生成证书
#
# 获取client-certificate-data数据
$ grep 'client-certificate-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.crt
# 获取client-key-data数据
$ grep 'client-key-data' ~/.kube/config | head -n 1 | awk '{print $2}' | base64 -d >> kubecfg.key
# 生成证书
openssl pkcs12 -export -clcerts -inkey kubecfg.key -in kubecfg.crt -out kubecfg.p12 -name "kubernetes-client"
# 把生成的证书拷贝到你的主机并导入。
# 登录网址
https://<master-ip>:<apiserver-port>/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/
本例子主要使用方法三来登录
我的地址:https://192.168.159.20:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login
弹出以下选择证书,点击确认
配置登陆WebUi的账号权限
生成一个账号
$ vim admin-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
应用至k8s
$ kubectl apply -f admin-user.yaml
配置此账号的权限(配置为集群管理员权限,如生产环境需要分配好权限)
$ vim dashboard-adminuser.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
应用至k8s
$ kubectl apply -f dashboard-adminuser.yaml
使用命令查询token
$ kubectl -n kube-system describe secret \
$(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
输入查询到的token
成功登录
完毕。。。