阿里云kubeadm搭建k8s环境
1.环境准备
3台centos7.7 2核4g内存
172.29.85.172 master
172.29.85.173 node1
172.29.85.174 node2
关闭 swap 分区,防止开机自动挂载 swap 分区,可以注释 /etc/fstab 中相应的条目:
sudo swapoff -asudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
确保 br_netfilter 模块被加载。这一操作可以通过运行 lsmod | grep br_netfilter 来完成。若要显式加载该模块,可执行
sudo modprobe br_netfilter
为了让你的 Linux 节点上的 iptables 能够正确地查看桥接流量,你需要确保在你的 sysctl 配置中将 net.bridge.bridge-nf-call-iptables 设置为 1。例如:
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
br_netfilter
EOF
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sudo sysctl --systemyum install docker
service docker start
systemctl enable docker
安装kubelet kubeadm kubectl(国内镜像源)
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
setenforce 0
yum install -y kubelet-1.20.0 kubeadm-1.20.0 kubectl-1.20.0
systemctl enable kubelet && systemctl start kubelet
2 完成k8s环境
在master上执行init
kubeadm init --apiserver-advertise-address=172.29.85.172 \
--kubernetes-version=v1.20.0 \
--image-repository registry.aliyuncs.com/google_containers \
--pod-network-cidr=192.168.0.0/16
执行成功后提示:
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 172.29.85.172:6443 --token ispu5d.urstmwd85q8z5wfv \
--discovery-token-ca-cert-hash sha256:f5a454de94bbd24178a755f6acdd445179f395af7a3ac5e8d0ea0bdbf309dd8b
完成上面提示操作
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
export KUBECONFIG=/etc/kubernetes/admin.conf
在两个node上 加入集群
kubeadm join 172.29.85.172:6443 --token ispu5d.urstmwd85q8z5wfv \
--discovery-token-ca-cert-hash sha256:f5a454de94bbd24178a755f6acdd445179f395af7a3ac5e8d0ea0bdbf309dd8b
master 上kubectl get nodes查看加入情况:
NAME STATUS ROLES AGE VERSION
iz2vc3tquo5tvtf4ik91yez NotReady control-plane,master 2m15s v1.20.4
iz2vc3tquo5tvtf4ik91yfz NotReady <none> 14s v1.20.4
iz2vc3tquo5tvtf4ik91ygz NotReady <none> 8s v1.20.4
可见两台node已加入成功,状态为notready,因为还没有部署网络。
部署flannel这个地址可能超时,可以自己提前准备好,我这里放在百度云了,https://pan.baidu.com/s/1qty2AVGsLVp19R-o7IdQ-A 提取码1234
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
kubectl apply -f kube-flannel.yml
当以上操作全部完成之后,可执行
kubectl get pods -A确认所有组件Running状态
kubectl get nodes所有节点节点为Ready
3 安装dashboard
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.5/aio/deploy/recommended.yaml
kubectl apply -f recommended.yaml
kubectl get pod -n kubernetes-dashboard
显示安装完成:
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-79c5968bdc-6vr74 1/1 Running 0 2m35s
kubernetes-dashboard-6f65cb5c64-d56rr 1/1 Running 0 2m35s
kubectl get svc -n kubernetes-dashboard
kubectl get svc -n kubernetes-dashboard
发现没有用NodePort,修改
kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kubernetes-dashboard
查看暴露端口
kubectl get svc -n kubernetes-dashboard
获取登录token
kubectl get secret --all-namespaces | grep dashboard
得到:
kubernetes-dashboard default-token-zx9th kubernetes.io/service-account-token 3 14m
kubernetes-dashboard kubernetes-dashboard-certs Opaque 0 14m
kubernetes-dashboard kubernetes-dashboard-csrf Opaque 1 14m
kubernetes-dashboard kubernetes-dashboard-key-holder Opaque 2 14m
kubernetes-dashboard kubernetes-dashboard-token-txjwd kubernetes.io/service-account-token 3 14m
查看token
kubectl describe secret kubernetes-dashboard-token-txjwd -n kubernetes-dashboard
得到token
Name: kubernetes-dashboard-token-txjwd
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: kubernetes-dashboard
kubernetes.io/service-account.uid: ccb4746a-2f37-43c3-b8cc-8580b148839b
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1066 bytes
namespace: 20 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6ImJkeFRocWFLa3BYQ1JZcTFuNl9hV0wzQWZBTHhZb0dZc1VhQmVDQVd2M0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi10eGp3ZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImNjYjQ3NDZhLTJmMzctNDNjMy1iOGNjLTg1ODBiMTQ4ODM5YiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlcm5ldGVzLWRhc2hib2FyZDprdWJlcm5ldGVzLWRhc2hib2FyZCJ9.a7_ps-oQI5uxiiqWE3psRGXznCDwnAFypcgND_huXHDO6REdO9hPLEmyrjsf6RpUOT58kLynGYIu73TCt4dgjqOyp2BQPIQasOl_G2XsxPg_VQxpBLVWgK-9RipjzgTtIuE6RhcTC0c
拿去登录就可以了,下面给个admin权限账号:
# dashboard acount
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
kubectl -n kube-system get secretkubectl -n kube-system describe secret admin-user-token-wv73
4 node加入集群token已过期的情况(masters生成的token 可能过期了)
创建token
kubeadm token create
kubeadm token list
获取 CA 证书 sha256 编码 hash 值
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
拼接加入请求
kubeadm join 172.29.85.172:6443 --token o3abha.w5j53w3uwespp64u \
--discovery-token-ca-cert-hash sha256:f5a454de94bbd24178a755f6acdd445179f395af7a3ac5e8d0ea0bdbf309dd8b
等一会 查看node为ready 就好了
kubectl get nodes
浙公网安备 33010602011771号