Table of contents
Two, Rancher basic configuration
1. Rancher deployment
1 Introduction
An open source enterprise-grade container management platform. With Rancher, enterprises no longer have to use a series of open source software to build a container service platform from scratch. Rancher provides a full-stack container deployment and management platform for managing Docker and Kubernetes used in production environments.
Help users to use rancher without having a deep understanding of kubernetes concepts
Started in the Silicon Valley of the United States, it has gradually developed its strength in the Chinese market in recent years. Has been acquired by suse
2. Installation
Version selection:
This document uses v2.5.2 version, v2.x version, the installation and configuration process is similar.
Start directly with the official image of rancher:
$ docker run -d --privileged --name rancher --restart=unless-stopped -p 8080:80 -p 8443:443 -v /opt/rancher/:/var/lib/rancher/ rancher/rancher:v2.5.2
After waiting for the service to start, the host https://<host-ip>:8443
can access the rancher management interface. For the first visit, the administrator password needs to be reinstalled.
The internal cluster is started internally with its own k3s, and containerd is directly used at the container level to manage images and containers.
$ docker exec -ti rancher bash # kubectl get no # kubectl get after -A
Two, Rancher basic configuration
1. Login
Set a password, log in successfully, and set the language in the lower right corner
2. Add cluster
$ curl --insecure -sfL https://192.168.0.121:8443/v3/import/pwqlqcwlpsjs7pxcvkkswjlfj59lpd4dsr46q5cdqz2frmrf5hd7tt.yaml | kubectl apply -f -
If the download fails, the browser accesses the url and manually copies it
[root@k8s-master rancher]# cat rancher-all.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: proxy-clusterrole-kubeapiserver
rules:
- apiGroups: [""]
resources:
- nodes/metrics
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
verbs: ["get", "list", "watch", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: proxy-role-binding-kubernetes-master
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: proxy-clusterrole-kubeapiserver
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kube-apiserver
---
apiVersion: v1
kind: Namespace
metadata:
name: cattle-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cattle
namespace: cattle-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cattle-admin-binding
namespace: cattle-system
labels:
cattle.io/creator: "norman"
subjects:
- kind: ServiceAccount
name: cattle
namespace: cattle-system
roleRef:
kind: ClusterRole
name: cattle-admin
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Secret
metadata:
name: cattle-credentials-d310755
namespace: cattle-system
type: Opaque
data:
url: "aHR0cHM6Ly8xOTIuMTY4LjAuMTIxOjg0NDM="
token: "cHdxbHFjd2xwc2pzN3B4Y3Zra3N3amxmajU5bHBkNGRzcjQ2cTVjZHF6MmZybXJmNWhkN3R0"
namespace: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cattle-admin
labels:
cattle.io/creator: "norman"
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cattle-cluster-agent
namespace: cattle-system
spec:
selector:
matchLabels:
app: cattle-cluster-agent
template:
metadata:
labels:
app: cattle-cluster-agent
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/os
operator: NotIn
values:
- windows
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
preference:
matchExpressions:
- key: node-role.kubernetes.io/controlplane
operator: In
values:
- "true"
- weight: 1
preference:
matchExpressions:
- key: node-role.kubernetes.io/etcd
operator: In
values:
- "true"
serviceAccountName: cattle
tolerations:
- operator: Exists
containers:
- name: cluster-register
imagePullPolicy: IfNotPresent
env:
- name: CATTLE_FEATURES
value: ""
- name: CATTLE_IS_RKE
value: "false"
- name: CATTLE_SERVER
value: "https://192.168.0.121:8443"
- name: CATTLE_CA_CHECKSUM
value: "bdd2bef611a347f4c6a3a031f39e4326bdd46444de330126b1d8f1eba7f72181"
- name: CATTLE_CLUSTER
value: "true"
- name: CATTLE_K8S_MANAGED
value: "true"
image: rancher/rancher-agent:v2.5.2
volumeMounts:
- name: cattle-credentials
mountPath: /cattle-credentials
readOnly: true
readinessProbe:
initialDelaySeconds: 2
periodSeconds: 5
httpGet:
path: /health
port: 8080
volumes:
- name: cattle-credentials
secret:
secretName: cattle-credentials-d310755
defaultMode: 320
---
After the cluster is added, check the container status:
[root@k8s-master rancher]# kubectl get po -n cattle-system
NAME READY STATUS RESTARTS AGE
cattle-cluster-agent-5ffd88dd8c-42jjl 1/1 Running 0 38m
3. Basic use
several concepts
cluster
rancher can manage multiple k8s clusters, and clusters can be brought into rancher's control by creating and importing
The initialization will connect the built-in k3s deployed cluster, named
local
project
The logical concept under the cluster, a cluster can contain multiple projects, and a project can contain multiple namespaces.
Initialization creates two projects for each connected cluster:
Default: corresponds to the default namespace of the cluster
System: corresponds to the system-level namespace, including
kube-system
,kube-public
,cattle-system
,ingress-nginx
etc.Namespaces
Corresponding to the namespace concept of k8s, you can directly create or move the namespace to an existing project
authority management
Rancher supports local users and docking with LDAP accounts. User permissions are granted based on projects.