分享交流
合作共赢!

Kubernetes/K8S基础使用方法总结【一】——安装部署

安装部署Kubernetes/K8S前提条件:

  • 准备好系统环境(需linux内核版本较高);
  • 所有master和node主机需要安装docker、kubeadm、kubectl和kubelet程序并启动服务;
  • master主机执行kubeadm初始化操作,其余节点执行加入操作即可构成集群;

一、系统环境要求:

1.各节点配置时间同步

通过安装chrony与网络时间同步

[root@master1 ~]# yum install chrony -y

2.主机名称解析

编辑/etc/hosts文件,添加主机名解析记录

3.关闭防火墙

关闭iptables或ufw或firewalld相关服务

[root@master1 ~]# systemctl stop firewalld
[root@master1 ~]# systemctl disable firewalld
Ubuntu系统:
root@master2:~# ufw disable
Firewall stopped and disabled on system startup

4.禁用SELinx

getenforce或sestatus查看selinux状态

[root@master1 ~]# getenforce
Enforcing
[root@master1 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 31

编辑/etc/sysconfig/selinux的SELINUX=enforcing选项,使SELINUX的值为disabled,重启服务器生效;若不想重启可临时设置如下:

[root@master1 ~]# setenforce
usage: setenforce [ Enforcing | Permissive | 1 | 0 ]
[root@master1 ~]# setenforce 0

5.禁用Swap设备;

swapoff -a
然后,在/etc/fstab中注释掉swap挂载记录行

6.配置bridge-nf-call-iptables

设置/proc/sys/net/bridge/bridge-nf-call-iptables和/proc/sys/net/bridge/bridge-nf-call-ip6tables文件内容为1,创建/etc/sysctl.d/k8s.conf文件,并添加如下内容:

vm.swappiness = 0
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1

sysctl -p /etc/sysctl.d/k8s.conf  # 使配置生效

二、安装应用程序

所有主机需执行相同的操作

1.安装docker

查看:Docker安装部署方法总结【二】

2.Docker配置

各节点安装并启用Docker容器运行时,配置好容器加速服务;

  • 建议使用阿里云容器加速;
  • 需要制定cgroup驱动为systemd;
{
  "exec-opts":["native.cgroupdriver=systemd"],
  "log-driver":"json-file",
  "log-opts":{
    "max-size":"100m"
  },
  "storage-driver":"overlay2",
  "registry-mirrors": ["https://ubylzbxo.mirror.aliyuncs.com","https://docker.mirrors.ustc.edu.cn","https://registry.docker-cn.com"]
}

配置生效

配置完docker配置文件,需要daemon-reload和重启docker生效,可以用docker info命令查看

[root@master1 ~]# systemctl daemon-reload
[root@master1 ~]# systemctl restart docker

3.安装kubeadm、kubectl和kubelet;

由于kubenetes使用Google主导研发,所有程序镜像包大陆无法访问(如gcr.io),只能通过内陆的某些比如阿里巴巴和清华大学镜像来获取。阿里巴巴k8s镜像访问点击这里查看,根据提示进行配置,然后进行安装。

参考资料:

1.For Debian/Ubuntu

apt-get update && apt-get install -y apt-transport-https
curl https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add - 
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb https://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main
EOF
apt-get update
apt-get install -y kubelet kubeadm kubectl  # 默认安装当前最新版本
root@master2:/etc/docker# apt-get install -y kubectl=1.18.1-00 kubeadm=1.18.1-00 kubelet=1.18.1-00  # 安装指定版本程序

2.For CentOS / RHEL / Fedora

cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
setenforce 0
yum install -y kubelet kubeadm kubectl
systemctl enable kubelet && systemctl start kubelet  # 默认安装最新版本软件
[root@node1 system]# yum install -y kubectl-1.18.1 kubeadm-1.18.1 kubelet-1.18.1 # 安装指定版本的软件包

ps: 由于官网未开放同步方式, 可能会有索引gpg检查失败的情况, 这时请用 yum install -y --nogpgcheck kubelet kubeadm kubectl 安装

4.设置开机自启动

root@master2:~# systemctl enable docker kubelet

三、初始化控制平面

1..初始化命令选项查看帮助

[root@master1 lib]# kubeadm init --help
Run this command in order to set up the Kubernetes control plane

The "init" command executes the following phases:
```
preflight Run pre-flight checks
kubelet-start Write kubelet settings and (re)start the kubelet
certs Certificate generation
/ca Generate the self-signed Kubernetes CA to provision identities for other Kubernetes components
/apiserver Generate the certificate for serving the Kubernetes API
/apiserver-kubelet-client Generate the certificate for the API server to connect to kubelet
/front-proxy-ca Generate the self-signed CA to provision identities for front proxy
/front-proxy-client Generate the certificate for the front proxy client
/etcd-ca Generate the self-signed CA to provision identities for etcd
/etcd-server Generate the certificate for serving etcd
/etcd-peer Generate the certificate for etcd nodes to communicate with each other
/etcd-healthcheck-client Generate the certificate for liveness probes to healthcheck etcd
/apiserver-etcd-client Generate the certificate the apiserver uses to access etcd
/sa Generate a private key for signing service account tokens along with its public key
kubeconfig Generate all kubeconfig files necessary to establish the control plane and the admin kubeconfig file
/admin Generate a kubeconfig file for the admin to use and for kubeadm itself
/kubelet Generate a kubeconfig file for the kubelet to use *only* for cluster bootstrapping purposes
/controller-manager Generate a kubeconfig file for the controller manager to use
/scheduler Generate a kubeconfig file for the scheduler to use
control-plane Generate all static Pod manifest files necessary to establish the control plane
/apiserver Generates the kube-apiserver static Pod manifest
/controller-manager Generates the kube-controller-manager static Pod manifest
/scheduler Generates the kube-scheduler static Pod manifest
etcd Generate static Pod manifest file for local etcd
/local Generate the static Pod manifest file for a local, single-node local etcd instance
upload-config Upload the kubeadm and kubelet configuration to a ConfigMap
/kubeadm Upload the kubeadm ClusterConfiguration to a ConfigMap
/kubelet Upload the kubelet component config to a ConfigMap
upload-certs Upload certificates to kubeadm-certs
mark-control-plane Mark a node as a control-plane
bootstrap-token Generates bootstrap tokens used to join a node to a cluster
kubelet-finalize Updates settings relevant to the kubelet after TLS bootstrap
/experimental-cert-rotation Enable kubelet client certificate rotation
addon Install required addons for passing Conformance tests
/coredns Install the CoreDNS addon to a Kubernetes cluster
/kube-proxy Install the kube-proxy addon to a Kubernetes cluster
```
Usage:
  kubeadm init [flags]
  kubeadm init [command]

Available Commands:
  phase       Use this command to invoke single phase of the init workflow

Flags:
      --apiserver-advertise-address string   The IP address the API Server will advertise it's listening on. If not set the default network interface will be used.
      --apiserver-bind-port int32            Port for the API Server to bind to. (default 6443)
      --apiserver-cert-extra-sans strings    Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. Can be both IP addresses and DNS names.
      --cert-dir string                      The path where to save and store the certificates. (default "/etc/kubernetes/pki")
      --certificate-key string               Key used to encrypt the control-plane certificates in the kubeadm-certs Secret.
      --config string                        Path to a kubeadm configuration file.
      --control-plane-endpoint string        Specify a stable IP address or DNS name for the control plane.
      --cri-socket string                    Path to the CRI socket to connect. If empty kubeadm will try to auto-detect this value; use this option only if you have more than one CRI installed or if you have non-standard CRI socket.
      --dry-run                              Don't apply any changes; just output what would be done.
  -k, --experimental-kustomize string        The path where kustomize patches for static pod manifests are stored.
      --feature-gates string                 A set of key=value pairs that describe feature gates for various features. Options are:
                                             IPv6DualStack=true|false (ALPHA - default=false)
                                             PublicKeysECDSA=true|false (ALPHA - default=false)
  -h, --help                                 help for init
      --ignore-preflight-errors strings      A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
      --image-repository string              Choose a container registry to pull control plane images from (default "k8s.gcr.io")
      --kubernetes-version string            Choose a specific Kubernetes version for the control plane. (default "stable-1")
      --node-name string                     Specify the node name.
      --pod-network-cidr string              Specify range of IP addresses for the pod network. If set, the control plane will automatically allocate CIDRs for every node.
      --service-cidr string                  Use alternative range of IP address for service VIPs. (default "10.96.0.0/12")
      --service-dns-domain string            Use alternative domain for services, e.g. "myorg.internal". (default "cluster.local")
      --skip-certificate-key-print           Don't print the key used to encrypt the control-plane certificates.
      --skip-phases strings                  List of phases to be skipped
      --skip-token-print                     Skip printing of the default bootstrap token generated by 'kubeadm init'.
      --token string                         The token to use for establishing bidirectional trust between nodes and control-plane nodes. The format is [a-z0-9]{6}\.[a-z0-9]{16} - e.g. abcdef.0123456789abcdef
      --token-ttl duration                   The duration before the token is automatically deleted (e.g. 1s, 2m, 3h). If set to '0', the token will never expire (default 24h0m0s)
      --upload-certs                         Upload control-plane certificates to the kubeadm-certs Secret.

Global Flags:
      --add-dir-header           If true, adds the file directory to the header
      --log-file string          If non-empty, use this log file
      --log-file-max-size uint   Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
      --rootfs string            [EXPERIMENTAL] The path to the 'real' host root filesystem.
      --skip-headers             If true, avoid header prefixes in the log messages
      --skip-log-headers         If true, avoid headers when opening log files
  -v, --v Level                  number for the log level verbosity

Use "kubeadm init [command] --help" for more information about a command.

2.开始初始化

初始化命令(可根据如下选项释义和自己实际情况进行修改)

您暂时无权查看此隐藏内容!

初始化成功会有如下提示(包括安装环境预检、生成证书、私钥、配置文件、pod清单文件、部署addon等过程):

W0514 16:26:38.198975 3142 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
[init] Using Kubernetes version: v1.18.1
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [master1 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local k8s-api.ilinux.io] and IPs [10.96.0.1 192.168.222.150]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [master1 localhost] and IPs [192.168.222.150 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [master1 localhost] and IPs [192.168.222.150 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
W0514 16:28:24.490184 3142 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
[control-plane] Creating static Pod manifest for "kube-scheduler"
W0514 16:28:24.494827 3142 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 28.512491 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.18" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node master1 as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node master1 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[bootstrap-token] Using token: ezl1f1.ha4fc5werojbu359
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:

kubeadm join k8s-api.ilinux.io:6443 --token ezl1f1.ha4fc5werojbu359 \
--discovery-token-ca-cert-hash sha256:c84d70dd5e0ce8f9305f09955c524a8aac9bb189445b58d026dba78d9981ed43 \
--control-plane

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join k8s-api.ilinux.io:6443 --token ezl1f1.ha4fc5werojbu359 \
--discovery-token-ca-cert-hash sha256:c84d70dd5e0ce8f9305f09955c524a8aac9bb189445b58d026dba78d9981ed43

初始化成功后操作

安装提示执行提示要执行的命令即可:

[root@master1 opt]# mkdir -p $HOME/.kube
[root@master1 opt]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@master1 opt]# chown $(id -u):$(id -g) $HOME/.kube/config
[root@master1 opt]# ll -h $HOME/.kube/config 
-rw------- 1 root root 5.4K May 14 16:58 /root/.kube/config

node加入集群

在node节点执行命令,使其添加到集群中:

[root@node1 system]# kubeadm join k8s-api.ilinux.io:6443 --token ezl1f1.ha4fc5werojbu359 \
> --discovery-token-ca-cert-hash sha256:c84d70dd5e0ce8f9305f09955c524a8aac9bb189445b58d026dba78d9981ed43
W0514 17:42:23.395760    4416 join.go:346] [preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set.
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.18" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

四、安装网络插件Flannel

1.Flannel在Github上的项目

地址:  https://github.com/coreos/flannel

2.开始安装部署flannel

[root@master1 opt]# kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

可能由于国内网络被qiang等原因,很难下载kube-flannel.yml和pull到flannel镜像。本人费九牛二虎之力用global服务器下载了kube-flannel.yml和pull到相关镜像,然后docker save打包为一个文件导入所需服务器load后即可使用,做如下操作记录:

[root@ecs-e84a ~]# docker pull quay.io/coreos/flannel:v0.12.0-arm64 && \
> docker pull quay.io/coreos/flannel:v0.12.0-arm && \
> docker pull quay.io/coreos/flannel:v0.12.0-ppc64le && \
> docker pull quay.io/coreos/flannel:v0.12.0-s390x
v0.12.0-arm64: Pulling from coreos/flannel
8fa90b21c985: Pull complete 
c4b41df13d81: Pull complete 
a73758d03943: Pull complete 
d09921139b63: Pull complete 
17ca61374c07: Pull complete 
6da2b4782d50: Pull complete 
Digest: sha256:a2f5081b71ee4688d0c7693d7e5f2f95e9eea5ea3b4147a12179f55ede42c185
Status: Downloaded newer image for quay.io/coreos/flannel:v0.12.0-arm64
quay.io/coreos/flannel:v0.12.0-arm64
v0.12.0-arm: Pulling from coreos/flannel
832e07764099: Pull complete 
d0888001d791: Pull complete 
f0e1b4ffe531: Pull complete 
a0af26dd2937: Pull complete 
8701ece6be98: Pull complete 
bf9c02e8240d: Pull complete 
Digest: sha256:ca8249ab50424e07d15298a2fda29003be3fd930750565d7b068b5ef9d36bd53
Status: Downloaded newer image for quay.io/coreos/flannel:v0.12.0-arm
quay.io/coreos/flannel:v0.12.0-arm
v0.12.0-ppc64le: Pulling from coreos/flannel
cd95c8a93e39: Pull complete 
324d08c752b6: Pull complete 
7e5cf18f4805: Pull complete 
eef736355019: Pull complete 
9d84e68c2ffe: Pull complete 
aeb40b202208: Pull complete 
Digest: sha256:28314b287f84b62f62e2bdb30e0cdba17ac97dd4822efb4664a7391637b0f052
Status: Downloaded newer image for quay.io/coreos/flannel:v0.12.0-ppc64le
quay.io/coreos/flannel:v0.12.0-ppc64le
v0.12.0-s390x: Pulling from coreos/flannel
176bad61a3a4: Pull complete 
13b80a37370b: Pull complete 
42d8e66fa893: Pull complete 
266247e2e603: Pull complete 
1b56fbc8a8e1: Pull complete 
85ecb68de469: Pull complete 
Digest: sha256:3ce5b8d40451787e1166bf6b207c7834c13f7a0712b46ddbfb591d8b5906bfa6
Status: Downloaded newer image for quay.io/coreos/flannel:v0.12.0-s390x
quay.io/coreos/flannel:v0.12.0-s390x
[root@ecs-e84a ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
quay.io/coreos/flannel v0.12.0-s390x 57eade024bfb 2 months ago 56.9MB
quay.io/coreos/flannel v0.12.0-ppc64le 9225b871924d 2 months ago 70.3MB
quay.io/coreos/flannel v0.12.0-arm64 7cf4a417daaa 2 months ago 53.6MB
quay.io/coreos/flannel v0.12.0-arm 767c3d1f8cba 2 months ago 47.8MB
quay.io/coreos/flannel v0.12.0-amd64 4e9f801d2217 2 months ago 52.8MB
[root@ecs-e84a flannel]# docker save quay.io/coreos/flannel:v0.12.0-amd64 quay.io/coreos/flannel:v0.12.0-arm64 quay.io/coreos/flannel:v0.12.0-arm quay.io/coreos/flannel:v0.12.0-ppc64le quay.io/coreos/flannel:v0.12.0-s390x -o flannelv0.12.0.tar
[root@ecs-e84a flannel]# ll -h
total 274M
-rw------- 1 root root 274M May 15 22:24 flannelv0.12.0.tar

查看node几点状态,如下显示Ready表示集群正常,K8S已安装成功!(k8s的相关管理和操作使用等请参考其他相关文章…)

[root@master1 flannel]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master1 Ready master 2d5h v1.18.1
node1 Ready <none> 9h v1.18.1
node2 Ready <none> 2d4h v1.18.1

 

内容查看价格4.99立即支付
注意:本站资源多为网络收集,如涉及版权问题请及时与站长联系,我们会在第一时间内与您协商解决。如非特殊说明,本站所有资源解压密码均为:zhangqiongjie.com。 客服:1923002089
赞(0) 打赏
未经允许不得转载:琼杰笔记 » Kubernetes/K8S基础使用方法总结【一】——安装部署
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

分享交流,合作共赢!

联系我们加入QQ群

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏