Kubernetes,简称 k8s(k,8 个字符,s——明白了?)或者 “kube”,是一个开源的 Linux 容器自动化运维平台,它消除了容器化应用程序在部署、伸缩时涉及到的许多手动操作。换句话说,你可以将多台主机组合成集群来运行 Linux 容器,而 Kubernetes 可以帮助你简单高效地管理那些集群。构成这些集群的主机还可以跨越公有云、私有云以及混合云。目前已经是容器编排的标准,背后主要有google和红帽支持。
kubeadm是Kubernetes官方提供的快速搭建k8s集群的工具,比目前网上使用其他方法搭建要简单快速的多,而且碰都的问题也少。如果大家按照本文操作出现任何问题,请留言,我会尽量及时回复。本文主要是参考的Kubernetes官方文档Using kubeadm to Create a Cluster。按照本文搭建的集群不够安全,也做不到高可用,仅建议个人学习研究用途,不建议部署至生产环境。
前提条件
1. 2台以上安装了centos7 x64的服务器,可以是物理机,虚拟机或者vps。其中一台作为master节点,其他的作为node节点。
2. 每台机器至少2g内存,作为master的服务器至少要2个核。
3. 所有服务器之间的网络是互通的,hostname不能相同,并且不含有下划线。
4. 服务器是在墙外的,因为搭建的过程中要下载的一些文件,墙内可能会很慢或者根本下载不了,这意味着使用国内的阿里云,腾讯云之类的vps搭建会很麻烦。如果还没有墙外的服务器,可以去看下vultr,我用的就是这个,性价比比较高,也很稳定, 推荐使用东京或美国西部的节点,连接比较快,有时ip会ping不通,应该是被墙了,在其他区域再创建一个再试就ok了。
5. 会用ssh连接服务器,并能执行简单的命令,以及编辑保存文件。下文的命令有些可能需要root权限,如果提示没有权限,在命令行前面加sudo再执行一次。
搭建步骤
第1-6步是每台服务器都需要的。
升级系统,在命令行运行
yum update -y
2. 关闭防火墙,swap,因为k8s需要运行多个服务在不同的服务器上通讯,需要开放多个端口,简单起见,直接把防火墙关了,不推荐在生产环境这么做。关掉swap,k8s的组件kebelet才可以正常工作。
systemctl disable firewalld
systemctl stop firewalld
swapoff -a
3.安装docker
yum install -y docker
systemctl enable docker && systemctl start docker
4.安装kubeadm,kubelet,kubectl
cat < /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
setenforce 0
yum install -y kubelet kubeadm kubectl
systemctl enable kubelet && systemctl start kubelet
5.关闭selinux,因为kubelet目前支持selinux还有点问题
setenforce 0
打开/etc/sysconfig/selinux文件
vi /etc/sysconfig/selinux
找到SELINUX那行,改为
SELINUX=disabled
保存文件
6.设置net.bridge.bridge-nf-call-iptables为1
cat < /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
7.初始化master,在master的节点上运行
kubeadm init --pod-network-cidr=192.168.0.0/16
如果你看到类似下面的信息说明master初始化成功了
[init] Using Kubernetes version: v1.8.0
[init] Using Authorization modes: [Node RBAC]
[preflight] Running pre-flight checks
[kubeadm] WARNING: starting in 1.8, tokens expire after 24 hours by default (if you require a non-expiring token use --token-ttl 0)
[certificates] Generated ca certificate and key.
[certificates] Generated apiserver certificate and key.
[certificates] apiserver serving cert is signed for DNS names [kubeadm-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 10.138.0.4]
[certificates] Generated apiserver-kubelet-client certificate and key.
[certificates] Generated sa key and public key.
[certificates] Generated front-proxy-ca certificate and key.
[certificates] Generated front-proxy-client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "scheduler.conf"
[controlplane] Wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[controlplane] Wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[controlplane] Wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml"
[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"
[init] Waiting for the kubelet to boot up the control plane as Static Pods from directory "/etc/kubernetes/manifests"
[init] This often takes around a minute; or longer if the control plane images have to be pulled.
[apiclient] All control plane components are healthy after 39.511972 seconds
[uploadconfig] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[markmaster] Will mark node master as master by adding a label and a taint
[markmaster] Master master tainted and labelled with key/value: node-role.kubernetes.io/master=""
[bootstraptoken] Using token:
[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstraptoken] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: kube-dns
[addons] Applied essential addon: kube-proxy
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run (as a regular user):
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
http://kubernetes.io/docs/admin/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join --token : --discovery-token-ca-cert-hash sha256:
把上面输出的最后一行 kubeadm join复制保存下来,后面在node节点加入到集群中需要用到
运行下面的命令初始化kebectl配置文件
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
8.安装网络插件,以使pod能相互通讯,这里我们安装的是Calico.在master节点运行
kubectl apply -f https://docs.projectcalico.org/v3.0/getting-started/kubernetes/installation/hosted/kubeadm/1.7/calico.yaml
运行以下命令检查kube-dns pod 已经运行,一般需要几十秒
kubectl get pods --all-namespaces
如果输出中有名字以kube-dns的pod状态是Running,说明网络插件已经正常工作,然后就可以把node节点加入到集群
[root@kube-master ~]# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-etcd-dfpnn 1/1 Running 0 13h
kube-system calico-kube-controllers-5449fdfcd-z8n45 1/1 Running 0 13h
kube-system calico-node-8jmzt 2/2 Running 0 13h
kube-system calico-node-b4x99 2/2 Running 0 13h
kube-system etcd-kube-master 1/1 Running 0 13h
kube-system kube-apiserver-kube-master 1/1 Running 0 13h
kube-system kube-controller-manager-kube-master 1/1 Running 0 13h
kube-system kube-dns-86f4d74b45-v6qr5 3/3 Running 0 14h
kube-system kube-proxy-8nl2w 1/1 Running 0 13h
kube-system kube-proxy-klnjb 1/1 Running 0 14h
kube-system kube-scheduler-kube-master 1/1 Running 0 13h
9.使pod能运行在master上,在master运行如下命令。否则k8s不会调度非系统pod到master节点上
kubectl taint nodes --all node-role.kubernetes.io/master-
10.kube-dns运行后加入node节点,在node节点运行第7步保存的kubeadm join,类似下面的语句。
kubeadm join --token : --discovery-token-ca-cert-hash sha256:
如果成功,输出类似下面
[preflight] Running pre-flight checks
[discovery] Trying to connect to API Server "10.138.0.4:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.138.0.4:6443"
[discovery] Requesting info from "https://10.138.0.4:6443" again to validate TLS against the pinned public key
[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "10.138.0.4:6443"
[discovery] Successfully established connection with API Server "10.138.0.4:6443"
[bootstrap] Detected server version: v1.8.0
[bootstrap] The server supports the Certificates API (certificates.k8s.io/v1beta1)
[csr] Created API client to obtain unique certificate for this node, generating keys and certificate signing request
[csr] Received signed certificate from the API server, generating KubeConfig...
Node join complete:
* Certificate signing request sent to master and response
received.
* Kubelet informed of new secure connection details.
Run 'kubectl get nodes' on the master to see this machine join.
11.验证node成功加入集群,在master命令行运行
kubectl get node
如果集群正常运行,输出类似
NAME STATUS ROLES AGE VERSION
kube-master Ready master 1h v1.10.0
kube-node Ready 2m v1.10.0