Kubernetes（K8s）（二）——搭建Kubernetes容器集群管理系统

(1).配置说明

节点角色	IP地址	CPU	内存
master、etcd	192.168.128.110	4核	2G
node1/minion1	192.168.128.111	4核	2G
node2/minion2	192.168.128.112	4核	2G

(2).搭建Kubernetes容器集群管理系统

　1）三台主机安装常用的软件包

　　bash-completion可以使得按<Tab>键补齐，vim是vi编辑器的升级版，wget用于下载阿里云的yum源文件。

# yum -y install bash-completion vim wget

　2）三台主机配置阿里云yum源

# mkdir /etc/yum.repos.d/backup
# mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/backup/
# wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
# yum clean all && yum list

　3）修改hosts文件

[root@kube-master ~]# vim /etc/hosts
192.168.128.110 kube-master
192.168.128.110 etcd
192.168.128.111 kube-node1
192.168.128.112 kube-node2
[root@kube-master ~]# scp /etc/hosts 192.168.128.111:/etc/
[root@kube-master ~]# scp /etc/hosts 192.168.128.112:/etc/

　4）在master和etcd节点上安装组件并进行配置

　　首先安装master节点上的K8s组件

[root@kube-master ~]# yum install -y kubernetes etcd flannel ntp

　　关闭防火墙或开启K8s组件相应端口，etcd端口默认2379，网页端口默认8080

[root@kube-master ~]# systemctl stop firewalld && systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

#添加端口方法
[root@kube-master ~]# firewall-cmd --permanent --zone=public --add-port={2379,8080}/tcp
success
[root@kube-master ~]# firewall-cmd --reload
success
[root@kube-master ~]# firewall-cmd --zone=public --list-ports 
2379/tcp 8080/tcp

　　修改etcd的配置文件，并启动查看

[root@kube-master ~]# vim /etc/etcd/etcd.conf
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"　　#第3行，存储数据目录
ETCD_LISTEN_CLIENT_URLS="http://localhost:2379,http://192.168.128.110:2379"　　#第6行，etcd对外服务监听地址，默认端口2379。如果设置为0.0.0.0则监听所有接口
ETCD_NAME="default"　　#第9行，节点名称。如果存储集群只有一个节点，这一项可以注释，默认为default。
ETCD_ADVERTISE_CLIENT_URLS="http://192.168.128.110:2379"　　#第21行
[root@kube-master ~]# systemctl start etcd && systemctl enable etcd
Created symlink from /etc/systemd/system/multi-user.target.wants/etcd.service to /usr/lib/systemd/system/etcd.service.
[root@kube-master ~]# systemctl status etcd
● etcd.service - Etcd Server
   Loaded: loaded (/usr/lib/systemd/system/etcd.service; enabled; vendor preset: disabled)
   Active: active (running) since 二 2020-01-14 14:02:31 CST; 11min ago
 Main PID: 12573 (etcd)
   CGroup: /system.slice/etcd.service
           └─12573 /usr/bin/etcd --name=default --data-dir=/var/lib/etcd/default.etcd --listen-client-urls=http://localhost:2379,http://192.168.128.110:2379

1月 14 14:02:31 kube-master etcd[12573]: raft.node: 8e9e05c52164694d elected leader 8e9e05c52164694d at term 2
1月 14 14:02:31 kube-master etcd[12573]: setting up the initial cluster version to 3.3
1月 14 14:02:31 kube-master etcd[12573]: set the initial cluster version to 3.3
1月 14 14:02:31 kube-master etcd[12573]: enabled capabilities for version 3.3
1月 14 14:02:31 kube-master etcd[12573]: published {Name:default ClientURLs:[http://192.168.128.110:2379]} to cluster cdf818194e3a8c32
1月 14 14:02:31 kube-master etcd[12573]: ready to serve client requests
1月 14 14:02:31 kube-master etcd[12573]: ready to serve client requests
1月 14 14:02:31 kube-master etcd[12573]: serving insecure client requests on 192.168.128.110:2379, this is strongly discouraged!
1月 14 14:02:31 kube-master etcd[12573]: serving insecure client requests on 127.0.0.1:2379, this is strongly discouraged!
1月 14 14:02:31 kube-master systemd[1]: Started Etcd Server.
[root@kube-master ~]# yum -y install net-tools　　#需要使用到网络工具
[root@kube-master ~]# netstat -antup | grep 2379
tcp        0      0 127.0.0.1:2379          0.0.0.0:*               LISTEN      12573/etcd          
tcp        0      0 192.168.128.110:2379    0.0.0.0:*               LISTEN      12573/etcd          
tcp        0      0 192.168.128.110:2379    192.168.128.110:49240   ESTABLISHED 12573/etcd          
tcp        0      0 127.0.0.1:2379          127.0.0.1:35638         ESTABLISHED 12573/etcd          
tcp        0      0 192.168.128.110:49240   192.168.128.110:2379    ESTABLISHED 12573/etcd          
tcp        0      0 127.0.0.1:35638         127.0.0.1:2379          ESTABLISHED 12573/etcd 
[root@kube-master ~]# etcdctl cluster-health　　检查etcd cluster状态
member 8e9e05c52164694d is healthy: got healthy result from http://192.168.128.110:2379
cluster is healthy
[root@kube-master ~]# etcdctl member list　　检查etcd集群成员
8e9e05c52164694d: name=default peerURLs=http://localhost:2380 clientURLs=http://192.168.128.110:2379 isLeader=true

　　修改master的通用配置文件

[root@kube-master ~]# vim /etc/kubernetes/config
KUBE_LOGTOSTDERR="--logtostderr=true"　　#第13行，错误日志是否输出到标准错误，如果不输出到标准错误则记录到文件
KUBE_LOG_LEVEL="--v=0"　　#第16行，日志等级
KUBE_ALLOW_PRIV="--allow-privileged=false"　　#第19行，是否允许运行特权容器，false表示不允许
KUBE_MASTER="--master=http://192.168.128.110:8080"　　#第22行

　　修改API Server的配置文件

[root@kube-master ~]# vim /etc/kubernetes/apiserver
KUBE_API_ADDRESS="--insecure-bind-address=0.0.0.0"　　#第8行，API Server监听所有端口
KUBE_ETCD_SERVERS="--etcd-servers=http://192.168.128.110:2379"　　#第17行，etcd存储地址
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"　　#第20行，IP地址取值范围，提供给Pod和Service
#默认允许接入的模块如下：NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota
KUBE_ADMISSION_CONTROL="--admission-control=AlwaysAdmit"　　#第23行，允许哪些模块接入，这里不做限制。
KUBE_API_ARGS=""　　#第26行

　　Controller Manager的配置文件不需要修改，可以查看一下

[root@kube-master ~]# vim /etc/kubernetes/controller-manager
KUBE_CONTROLLER_MANAGER_ARGS=""
[root@kube-master ~]# rpm -qf /etc/kubernetes/controller-manager
kubernetes-master-1.5.2-0.7.git269f928.el7.x86_64

　　修改Scheduler的配置文件

[root@kube-master ~]# vim /etc/kubernetes/scheduler
KUBE_SCHEDULER_ARGS="--address=0.0.0.0"

　　修改flanneld（覆盖网络）的配置文件

[root@kube-master ~]# vim /etc/sysconfig/flanneld
FLANNEL_ETCD_ENDPOINTS="http://192.168.128.110:2379"　　#第4行，etcd存储地址
FLANNEL_ETCD_PREFIX="/k8s/network"　　#第8行，etcd存储配置目录
FLANNEL_OPTIONS="--iface=ens33"　　#第11行，指定通信物理网卡
[root@kube-master ~]# mkdir -p /k8s/network
[root@kube-master ~]# etcdctl set /k8s/network/config '{"Network":"10.255.0.0/16"}'　　#将IP取值范围填入
{"Network":"10.255.0.0/16"}
[root@kube-master ~]# etcdctl get /k8s/network/config　　#如此一来，后面node节点上运行的flanneld会自动获取docker的IP地址
{"Network":"10.255.0.0/16"}
[root@kube-master ~]# systemctl start flanneld && systemctl enable flanneld
Created symlink from /etc/systemd/system/multi-user.target.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.
Created symlink from /etc/systemd/system/docker.service.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.
[root@Kube-master ~]# ip a sh　　#成功
......
3: flannel0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1472 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 10.255.29.0/16 scope global flannel0
       valid_lft forever preferred_lft forever
    inet6 fe80::723e:875f:5995:76d0/64 scope link flags 800 
       valid_lft forever preferred_lft forever

　　重启Master上的API Server、Controller Manager和Scheduler，并设置开机自启。注意：可以在每个组件配置完成时单独操作，也可以修改完一次性操作。

[root@kube-master ~]# systemctl restart kube-apiserver kube-controller-manager kube-scheduler
[root@kube-master ~]# systemctl enable kube-apiserver kube-controller-manager kube-scheduler 
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-apiserver.service to /usr/lib/systemd/system/kube-apiserver.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-controller-manager.service to /usr/lib/systemd/system/kube-controller-manager.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-scheduler.service to /usr/lib/systemd/system/kube-scheduler.service.

　5）在node1/minion1节点上安装组件并进行配置

　　首先安装node1/minion1节点上的K8s组件

[root@kube-node1 ~]# yum -y install kubernetes flannel ntp

　　关闭防火墙或开启K8s组件相应端口，kube-proxy默认端口10249，kubelet默认端口10248、10250、10255

[root@kube-node1 ~]# systemctl stop firewalld && systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

　　配置网络，这里采用flanneld（覆盖网络），然后重启flaneld并设置开机自启

[root@kube-node1 ~]# vim /etc/sysconfig/flanneld
FLANNEL_ETCD_ENDPOINTS="http://192.168.128.110:2379"　　#etcd存储地址
FLANNEL_ETCD_PREFIX="/k8s/network"　　#etcd存储目录
FLANNEL_OPTIONS="--iface=ens33"　　#使用通信的物理网卡
[root@Kube-node1 ~]# systemctl restart flanneld && systemctl enable flanneld
Created symlink from /etc/systemd/system/multi-user.target.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.
Created symlink from /etc/systemd/system/docker.service.wants/flanneld.service to /usr/lib/systemd/system/flanneld.service.

　　修改k8s通用配置

[root@kube-node1 ~]# vim /etc/kubernetes/config
KUBE_MASTER="--master=http://192.168.128.110:8080"　　#第22行，指向master节点

　　查看一下kube-proxy，因为默认监听所有IP，所以不用修改。

[root@kube-node1 ~]# grep -v '^#' /etc/kubernetes/proxy
KUBE_PROXY_ARGS=""　　#默认监听所有IP

　　修改kubelet的配置文件。说明：KUBELET_POD_INFRA_CONTAINER指定Pod基础镜像地址。这是一个基础镜像，每个Pod启动时都会启动通过该镜像生成一个容器，如果本地没有这个镜像，那么kubelet将会通过外网下载镜像。

[root@kube-node1 ~]# vim /etc/kubernetes/kubelet
KUBELET_ADDRESS="--address=0.0.0.0"　　#第5行，监听所有IP，因为要使用kubectl远程连接到kubelet，查看Pod及其内的容器状态
KUBELET_HOSTNAME="--hostname-override=kube-node1"　　#第11行，修改为主机名，加快速度
KUBELET_API_SERVER="--api-servers=http://192.168.128.110:8080"　　#第14行，指向API Server
KUBELET_POD_INFRA_CONTAINER="--pod-infra-container-image=registry.access.redhat.com/rhel7/pod-infrastructure:latest"　　#第17行，指定Pod基础镜像地址
KUBELET_ARGS=""　　第20行

　　重启kube-proxy、kubelet和docker（其实都没有启动），并设置开机自启

[root@kube-node1 ~]# systemctl restart kube-proxy kubelet docker
[root@kube-node1 ~]# systemctl enable kube-proxy kubelet docker
Created symlink from /etc/systemd/system/multi-user.target.wants/kube-proxy.service to /usr/lib/systemd/system/kube-proxy.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.

　　检查一下

[root@kube-node1 ~]# ip a sh
......
3: flannel0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1472 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none 
    inet 10.255.42.0/16 scope global flannel0
       valid_lft forever preferred_lft forever
    inet6 fe80::a721:7a65:54ea:c2b/64 scope link flags 800 
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:5c:5b:ae:8c brd ff:ff:ff:ff:ff:ff
    inet 10.255.42.1/24 scope global docker0
       valid_lft forever preferred_lft forever
[root@kube-node1 ~]# yum -y install net-tools
[root@kube-node1 ~]# netstat -antup | grep proxy
tcp        0      0 127.0.0.1:10249         0.0.0.0:*               LISTEN      1473/kube-proxy     
tcp        0      0 192.168.128.111:55342   192.168.128.110:8080    ESTABLISHED 1473/kube-proxy     
tcp        0      0 192.168.128.111:55344   192.168.128.110:8080    ESTABLISHED 1473/kube-proxy
[root@kube-node1 ~]# netstat -antup | grep kubelet
tcp        0      0 127.0.0.1:10248         0.0.0.0:*               LISTEN      1698/kubelet        
tcp        0      0 192.168.128.111:55350   192.168.128.110:8080    ESTABLISHED 1698/kubelet        
tcp        0      0 192.168.128.111:55351   192.168.128.110:8080    ESTABLISHED 1698/kubelet        
tcp        0      0 192.168.128.111:55354   192.168.128.110:8080    ESTABLISHED 1698/kubelet        
tcp        0      0 192.168.128.111:55356   192.168.128.110:8080    ESTABLISHED 1698/kubelet        
tcp6       0      0 :::4194                 :::*                    LISTEN      1698/kubelet        
tcp6       0      0 :::10250                :::*                    LISTEN      1698/kubelet        
tcp6       0      0 :::10255                :::*                    LISTEN 

　6）在node2/minion2节点上安装组件并进行配置

　　重复node1/minion1节点上的操作

　7）测试：在Master节点上查看整个集群的运行状态

[root@kube-master ~]# kubectl get nodes
NAME         STATUS    AGE
kube-node1   Ready     1h
kube-node2   Ready     2m

　　至此K8s容器集群管理系统就搭建完成了，但此时是不能使用Web页面进行管理，只能通过kubectl命令。