kubeadm安装kubernetes1.13集群
文章目录
- 准备工作
- 1、硬件配置
- 2、安装docker
- 3、修改内核参数
- 4、关闭Swap
- 5、开启ipvs
- 6、禁用selinux,关闭防火墙,
- 7、检查网络,dns,ssh,ntp是否正常
- 8、除了上述你还应该提前了解k8s的基本概念术语
- 集群规划
- 一、安装 kubeadm, kubelet 和 kubectl
- 二、初始化master
- 1、先提前下载初始化时需要用到的Images
- 手动下载镜像 2020/2/5日更新。适用于kube1.17版
- 2、开始初始化
- 三、 将worker节点加入集群
- 四、 安装Flannel 网络插件
- 五、检查集群是否搭建成功
- 六、 测试集群功能是否正常
准备工作
在所有节点上作如下准备:
1、硬件配置
建议至少2 cpu ,2G,非硬性要求,1cpu,1G也可以搭建起集群。但是:
1个cpu的话初始化master的时候会报 [WARNING NumCPU]: the number of available CPUs 1 is less than the required 2
因为安装的东西太多了,内存太少可能不够。部署插件或者pod时可能会报warning:FailedScheduling:Insufficient cpu, Insufficient memory
2、安装docker
docker18.06版本以下已被验证,最近的版本18.09虽然还未经验证,但经过我测试可以使用,只是初始化时会报warning,官方推荐使用18.06
[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 18.09.0. Latest validated version: 18.06
安装脚本可参考:https://blog.csdn.net/fanren224/article/details/72598050
3、修改内核参数
禁用ipv6,否则会造成coredns容器无法启动
cat < /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward=1
EOF
sysctl --system
如果你不这样做,报错如下
[ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables contents are not set to 1
4、关闭Swap
k8s1.8版本以后,要求关闭swap,否则默认配置下kubelet将无法启动。
$ swapoff -a
#防止开机自动挂载 swap 分区
$ sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
如果你不这样做,报错如下
[ERROR Swap]: running with swap on is not supported. Please disable swap
5、开启ipvs
不是必须,只是建议,pod的负载均衡是用kube-proxy来实现的,实现方式有两种,一种是默认的iptables,一种是ipvs,ipvs比iptable的性能更好而已。
ipvs是啥?为啥要用ipvs?:https://blog.csdn.net/fanren224/article/details/86548398
后面master的高可用和集群服务的负载均衡要用到ipvs,所以加载内核的以下模块
需要开启的模块是
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack_ipv4
检查有没有开启
cut -f1 -d " " /proc/modules | grep -e ip_vs -e nf_conntrack_ipv4
没有的话,使用以下命令加载
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
ipvs还需要ipset,检查下有没有。如果没有,安装
yum install ipset -y
6、禁用selinux,关闭防火墙,
7、检查网络,dns,ssh,ntp是否正常
8、除了上述你还应该提前了解k8s的基本概念术语
集群规划
- etcd节点x1 : 注意etcd必须是奇数个节点
- master节点x1 : 没有奇数偶数的限制,后面可以根据实际情况再增加节点数,
- node节点x3 : 真正应用负载的节点,后面可以根据实际情况很方便的增加节点数
| 主机名 | ip | 角色 |
|---|---|---|
| master1 | 192.168.255.130 | master+etcd |
| slave1-3 | 192.168.255.121-123 | node |
如果你想部署高可用集群,参考:
https://blog.csdn.net/fanren224/article/details/86573264
一、安装 kubeadm, kubelet 和 kubectl
kubelet用于启动 Pod 和容器。kubeadm 用于初始化 Cluster。
kubectl 是命令行工具。用来部署和管理应用,查看各种资源,创建、删除和更新各种组件。
所有节点都安装 kubeadm, kubelet 和 kubectl,node节点的kubectl不是必须的,但是我们这里选择安装上。
关于准备工作的官方文档在这里: https://kubernetes.io/docs/setup/independent/high-availability/#before-you-begin
添加源
cat < /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
安装时最好加上版本号
yum install -y kubelet-1.13.0 kubeadm-1.13.0 kubectl-1.13.0 --disableexcludes=kubernetes #禁用除kubernetes之外的仓库
docker的驱动类型docker info| grep Cgroupfs, 需要和kubelet的驱动类型相同,如果不相同,需要修改下面的配置文件,1.13版本的kubelet默认是cgroupfs,因为不需要修改(有个问题,Cgroupfs类型和systemd类型有什么区别?为什么官方推荐使用systemd?https://www.cnblogs.com/sparkdev/p/9523194.html)
vim /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
#添加如下配置
Environment="KUBELET_CGROUP_ARGS=--cgroup-driver=cgroupfs"
设置开机启动kubelet
systemctl enable kubelet
注意,这里不需要启动kubelet,初始化的过程中会自动启动的,如果此时启动了会出现如下报错,忽略即可。日志在tail -f /var/log/messages
failed to load Kubelet config file /var/lib/kubelet/config.yaml, error failed to read kubelet config file “/var/lib/kubelet/config.yaml”, error: open /var/lib/kubelet/config.yaml: no such file or directory
二、初始化master
1、先提前下载初始化时需要用到的Images
在所有节点上提前下载镜像
有两种办法,参考文章: http://blog.51cto.com/purplegrape/2315451
第一种:从国内源下载好然后修改tag(推荐方式)
先查看要用到的镜像有哪些,这里要注意的是:要拉取的4个核心组件的镜像版本和你安装的kubelet、kubeadm、kubectl 版本需要是一致的。
[root@master] ~$ kubeadm config images list
k8s.gcr.io/kube-apiserver:v1.13.0
k8s.gcr.io/kube-controller-manager:v1.13.0
k8s.gcr.io/kube-scheduler:v1.13.0
k8s.gcr.io/kube-proxy:v1.13.0
k8s.gcr.io/pause:3.1
k8s.gcr.io/etcd:3.2.24
k8s.gcr.io/coredns:1.2.6
下载
#拉镜像
kubeadm config images list |sed -e 's/^/docker pull /g' -e 's#k8s.gcr.io#mirrorgooglecontainers#g' |sh -x
docker pull coredns/coredns:1.2.6
#修改tag,将镜像标记为k8s.gcr.io的名称
docker images |grep mirrorgooglecontainers |awk '{print "docker tag ",$1":"$2,$1":"$2}' |sed -e 's#mirrorgooglecontainers#k8s.gcr.io#2' |sh -x
docker tag coredns/coredns:1.2.6 k8s.gcr.io/coredns:1.2.6
#删除无用的镜像
docker images | grep mirrorgooglecontainers | awk '{print "docker rmi " $1":"$2}' | sh -x
docker rmi coredns/coredns:1.2.6
查看准备好的镜像
[root@master] ~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
k8s.gcr.io/kube-apiserver-amd64 v1.13.0 177db4b8e93a 28 hours ago 181MB
k8s.gcr.io/kube-controller-manager v1.13.0 b9027a78d94c 28 hours ago 146MB
k8s.gcr.io/kube-proxy v1.13.0 01cfa56edcfc 28 hours ago 80.3MB
k8s.gcr.io/kube-scheduler v1.13.0 3193be46e0b3 28 hours ago 79.6MB
k8s.gcr.io/coredns 1.2.6 f59dcacceff4 2 months ago 40MB
k8s.gcr.io/etcd 3.2.24 3cab8e1b9802 3 months ago 220MB
k8s.gcr.io/pause 3.1 da86e6ba6ca1 12 months ago 742kB
手动下载镜像 2020/2/5日更新。适用于kube1.17版
拉初始化镜像
kubeadm config images list |sed -e 's/^/docker pull /g' -e 's#k8s.gcr.io#gcr.azk8s.cn/google-containers#g'|sh -x
docker images |grep azk8s |awk '{print "docker tag ",$1":"$2,$1":"$2}' |sed -e 's#gcr.azk8s.cn/google-containers#k8s.gcr.io#2'|sh -x
docker images | grep azk8s | awk '{print "docker rmi " $1":"$2}' | sh -x
拉取flannel:v0.11.0镜像
docker pull quay.azk8s.cn/coreos/flannel:v0.11.0-amd64
docker tag quay.azk8s.cn/coreos/flannel:v0.11.0-amd64 quay.io/coreos/flannel:v0.11.0-amd64
docker rmi quay.azk8s.cn/coreos/flannel:v0.11.0-amd64
第二种:修改kubeadm配置文件中的docker仓库地址imageRepository,注意:此方法只适用于1.11(?)版本以上
一开始没有配置文件,先使用下面的命令生成配置文件
kubeadm config print init-defaults > kubeadm.conf
将配置文件中的 imageRepository: k8s.gcr.io 改为你自己的私有docker仓库,比如
sed -i '/^imageRepository/ s/k8s\.gcr\.io/u9nigs6v\.mirror\.aliyuncs\.com\/google_containers/g' kubeadm.conf
imageRepository: u9nigs6v.mirror.aliyuncs.com/mirrorgooglecontainers
然后运行命令拉镜像
kubeadm config images list --config kubeadm.conf
kubeadm config images pull --config kubeadm.conf
#查看
docker images
2、开始初始化
初始化之前最好先了解一下 kubeadm init 参数
--apiserver-advertise-address string
API Server将要广播的监听地址。如指定为 `0.0.0.0` 将使用缺省的网卡地址。
--apiserver-bind-port int32 缺省值: 6443
API Server绑定的端口
--apiserver-cert-extra-sans stringSlice
可选的额外提供的证书主题别名(SANs)用于指定API Server的服务器证书。可以是IP地址也可以是DNS名称。
--cert-dir string 缺省值: "/etc/kubernetes/pki"
证书的存储路径。
--config string
kubeadm配置文件的路径。警告:配置文件的功能是实验性的。
--cri-socket string 缺省值: "/var/run/dockershim.sock"
指明要连接的CRI socket文件
--dry-run
不会应用任何改变;只会输出将要执行的操作。
--feature-gates string
键值对的集合,用来控制各种功能的开关。可选项有:
Auditing=true|false (当前为ALPHA状态 - 缺省值=false)
CoreDNS=true|false (缺省值=true)
DynamicKubeletConfig=true|false (当前为BETA状态 - 缺省值=false)
-h, --help
获取init命令的帮助信息
--ignore-preflight-errors stringSlice
忽视检查项错误列表,列表中的每一个检查项如发生错误将被展示输出为警告,而非错误。 例如: 'IsPrivilegedUser,Swap'. 如填写为 'all' 则将忽视所有的检查项错误。
--kubernetes-version string 缺省值: "stable-1"
为control plane选择一个特定的Kubernetes版本。
--node-name string
指定节点的名称。
--pod-network-cidr string
指明pod网络可以使用的IP地址段。 如果设置了这个参数,control plane将会为每一个节点自动分配CIDRs。
--service-cidr string 缺省值: "10.96.0.0/12"
为service的虚拟IP地址另外指定IP地址段
--service-dns-domain string 缺省值: "cluster.local"
为services另外指定域名, 例如: "myorg.internal".
--skip-token-print
不打印出由 `kubeadm init` 命令生成的默认令牌。
--token string
这个令牌用于建立主从节点间的双向受信链接。格式为 [a-z0-9]{6}\.[a-z0-9]{16} - 示例: abcdef.0123456789abcdef
--token-ttl duration 缺省值: 24h0m0s
令牌被自动删除前的可用时长 (示例: 1s, 2m, 3h). 如果设置为 '0', 令牌将永不过期。
在master上开始初始化
注意:
因为后面要安装网络插件flannel ,所有这里要添加参数, --pod-network-cidr=10.244.0.0/16,10.244.0.0/16是flannel插件固定使用的ip段,它的值取决于你准备安装哪个网络插件
如果要自定义配置,先kubeadm config print init-defaults >kubeadm.conf,再修改,改完指定配置文件路径--config /root/kubeadm.conf
指定Kubenetes版本--kubernetes-version,如果不指定该参数,会从google网站下载最新的版本信息,因为它的默认值是stable-1。
因为我使用的是虚拟机,只分配一个cpu,所以指定了参数--ignore-preflight-errors=NumCPU,如果你的cpu足够,不要添加这个参数.
[root@master] ~$ kubeadm init --pod-network-cidr=10.244.0.0/16 --ignore-preflight-errors=NumCPU --kubernetes-version=1.13.0
[init] Using Kubernetes version: v1.13.2
[preflight] Running pre-flight checks
[WARNING NumCPU]: the number of available CPUs 1 is less than the required 2
[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 18.09.0. Latest validated version: 18.06
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Activating the kubelet service
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [master.hanli.com kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.255.130]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [master.hanli.com localhost] and IPs [192.168.255.130 127.0.0.1 ::1]
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [master.hanli.com localhost] and IPs [192.168.255.130 127.0.0.1 ::1]
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 26.003884 seconds
[uploadconfig] storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.13" in namespace kube-system with the configuration for the kubelets in the cluster
[patchnode] Uploading the CRI Socket information "/var/run/dockershim.sock" to the Node API object "master.hanli.com" as an annotation
[mark-control-plane] Marking the node master.hanli.com as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node master.hanli.com as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[bootstrap-token] Using token: orpuz8.j7vb3y83z6qfr15w
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstraptoken] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstraptoken] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstraptoken] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstraptoken] creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join 192.168.255.130:6443 --token orpuz8.j7vb3y83z6qfr15w --discovery-token-ca-cert-hash sha256:9608d18cd75ad1d9675036b8801d9a550d2a1ca3c4ddf0a5cc15d22e883badb7
根据输出的内容,可以了解到初始化Kubernetes集群所需要的关键步骤。
1、[preflight] 检查系统状态。 发生错误会退出执行,除非指定了 --ignore-preflight-errors=
具体检查了哪些内容可以参考:https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/#kubeadm-init-workflow-internal-design
2、[kubelet-start] 启动kubelet
3、[certs] 生成各种证书。可以通过 --cert-dir 指定自有的证书目录(缺省值为 /etc/kubernetes/pki)
3、[kubeconfig] 在/etc/kubernetes/ 目录,生成配置文件 admin.conf(kubectl) ,kubelet.conf 、controller-manager.conf 和 scheduler.conf
4、[control-plane] 为 apiserver、controller manager 和 scheduler 生成创建Pod时要用到的yaml文件。
5、[etcd]生成 本地 etcd 的Pod yaml,除非指定外部 etcd
6、[wait-control-plane] 安装master的组件 apiserver、controller manager 和 scheduler
7、[apiclient] 检查组件是否健康
8、[uploadconfig] 将配置信息存储在kube-system命名空间下的名为 kubeadm-config的configmap中
9、[kubelet] 在kube-system命名空间中创建一个名为 "kubelet-config-1.13 的ConfigMap对象,with the configuration for the kubelets in the cluster
10、[patchnode] 通过注释的方式将网络插件的信息更新到master节点的apiserver对象上
11、[mark-control-plane] 将master节点标记为不可调度
12、[bootstrap-token] token
13、[addons] 安装 CoreDNS和kube-proxy
kubectl命令默认从$HOME/.kube/config这个位置读取配置。配置文件中包含apiserver的地址,证书,用户名等你可以cat查看一下。需要做如下配置:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
需要这些配置命令的原因是:Kubernetes 集群默认需要加密方式访问。所以,这几条命令,就是将刚刚部署生成的 Kubernetes 集群的安全配置文件,保存到当前用户的.kube 目录下,kubectl 默认会使用这个目录下的授权信息访问 Kubernetes 集群。
如果不这么做的话,我们每次都需要通过 export KUBECONFIG 环境变量告诉 kubectl 这个安全配置文件的位置。如果不这样做的话,使用kubectl会报错
[root@master1] ~$ kubectl get pods -n kube-system -o wide
The connection to the server localhost:8080 was refused - did you specify the right host or port?
你可以选择性的启用 kubectl 命令的自动补全功能,建议开启。
echo "source <(kubectl completion bash)" >> ~/.bashrc
命令缩写加到.bashrc,然后source .bashrc
alias ks='kubectl -n kube-system'
alias ki='kubectl -n istio-system'
三、 将worker节点加入集群
在所有work节点上,使用初始化时给出的命令,将worker加入集群
这个命令里有个token是干什么的?
因为,任何一台机器想要成为 Kubernetes 集群中的一个节点,就必须在集群的 kube-apiserver 上注册。可是,要想跟 apiserver 打交道,这台机器就必须要获取到相应的证书文件(CA 文件)。可是,为了能够一键安装,我们就不能让用户去 Master 节点上手动拷贝这些文件。
所以,kubeadm 至少需要发起一次“不安全模式”的访问到 kube-apiserver,从而拿到保存在 ConfigMap 中的 cluster-info(它保存了 APIServer 的授权信息)。而 bootstrap token,扮演的就是这个过程中的安全验证的角色。
只要有了 cluster-info 里的 kube-apiserver 的地址、端口、证书,kubelet 就可以以“安全模式”连接到 apiserver 上,这样一个新的节点就部署完成了。
[root@slave1] ~$ kubeadm join 192.168.255.130:6443 --token orpuz8.j7vb3y83z6qfr15w --discovery-token-ca-cert-hash sha256:9608d18cd75ad1d9675036b8801d9a550d2a1ca3c4ddf0a5cc15d22e883badb7
[preflight] Running pre-flight checks
[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 18.09.0. Latest validated version: 18.06
[discovery] Trying to connect to API Server "192.168.255.130:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://192.168.255.130:6443"
[discovery] Requesting info from "https://192.168.255.130:6443" again to validate TLS against the pinned public key
[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "192.168.255.130:6443"
[discovery] Successfully established connection with API Server "192.168.255.130:6443"
[join] Reading configuration from the cluster...
[join] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet] Downloading configuration for the kubelet from the "kubelet-config-1.13" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Activating the kubelet service
[tlsbootstrap] Waiting for the kubelet to perform the TLS Bootstrap...
[patchnode] Uploading the CRI Socket information "/var/run/dockershim.sock" to the Node API object "slave1.hanli.com" as an annotation
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the master to see this node join the cluster.
如果你找不到添加node节点的命令,通过如下命令获取
kubeadm token create --print-join-command
如果加入集群失败报错的话。执行下面的命令重置后重新加入
kubeadm reset
查看节点是否加入集群,此时NotReady 是正常的,因为还没有安装网络
[root@master] ~$ kubectl get node
NAME STATUS ROLES AGE VERSION
master.hanli.com NotReady master 4m16s v1.13.2
slave1.hanli.com NotReady 2m54s v1.13.2
slave2.hanli.com NotReady 114s v1.13.2
slave3.hanli.com NotReady 2m40s v1.13.2
查看pod,可以看到节点还没有Ready,dns的两个pod也不正常,还需要配置网络插件。
[root@master] ~$ kubectl get pod -n kube-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
coredns-86c58d9df4-r59rv 0/1 ContainerCreating 0 4m24s slave1.hanli.com
coredns-86c58d9df4-rbzx5 0/1 ContainerCreating 0 4m25s slave1.hanli.com
etcd-master.hanli.com 1/1 Running 0 3m50s 192.168.255.130 master.hanli.com
kube-apiserver-master.hanli.com 1/1 Running 0 3m30s 192.168.255.130 master.hanli.com
kube-controller-manager-master.hanli.com 1/1 Running 2 3m56s 192.168.255.130 master.hanli.com
kube-proxy-4wrg5 1/1 Running 0 4m24s 192.168.255.130 master.hanli.com
kube-proxy-6rlqz 1/1 Running 0 2m1s 192.168.255.122 slave2.hanli.com
kube-proxy-jw7cj 1/1 Running 0 2m25s 192.168.255.121 slave1.hanli.com
kube-proxy-zq442 1/1 Running 0 2m19s 192.168.255.123 slave3.hanli.com
kube-scheduler-master.hanli.com 1/1 Running 2 3m52s 192.168.255.130 master.hanli.com
四、 安装Flannel 网络插件
这里选用 Flannel 网络插件:https://github.com/coreos/flannel/tree/v0.10.0
只在master上操作即可
下载yml
[root@master] ~$ wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
flannel 默认会使用主机的第一张网卡,如果你有多张网卡,需要通过配置单独指定。修改 kube-flannel.yml 中的以下部分
[root@master] ~$ vim kube-flannel.yml
containers:
- name: kube-flannel
image: quay.io/coreos/flannel:v0.10.0-amd64
command:
- /opt/bin/flanneld
args:
- --ip-masq
- --kube-subnet-mgr
- --iface=ens33 #添加
执行kube-flannel.yml
[root@master] ~$ kubectl apply -f kube-flannel.yml
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.extensions/kube-flannel-ds-amd64 created
daemonset.extensions/kube-flannel-ds-arm64 created
daemonset.extensions/kube-flannel-ds-arm created
daemonset.extensions/kube-flannel-ds-ppc64le created
daemonset.extensions/kube-flannel-ds-s390x created
执行成功后,Master并不能马上变成Ready状态,需要稍等几分钟,就可以看到所有状态都正常了。
[root@master] ~$ kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-86c58d9df4-r59rv 1/1 Running 0 59m
kube-system coredns-86c58d9df4-rbzx5 1/1 Running 0 59m
kube-system etcd-master.hanli.com 1/1 Running 0 58m
kube-system kube-apiserver-master.hanli.com 1/1 Running 0 58m
kube-system kube-controller-manager-master.hanli.com 1/1 Running 16 58m
kube-system kube-flannel-ds-amd64-229j2 1/1 Running 0 42m
kube-system kube-flannel-ds-amd64-9zgw8 1/1 Running 1 42m
kube-system kube-flannel-ds-amd64-cmvj5 1/1 Running 0 42m
kube-system kube-flannel-ds-amd64-gdsgk 1/1 Running 0 42m
kube-system kube-proxy-4wrg5 1/1 Running 0 59m
kube-system kube-proxy-6rlqz 1/1 Running 0 56m
kube-system kube-proxy-jw7cj 1/1 Running 0 57m
kube-system kube-proxy-zq442 1/1 Running 0 57m
kube-system kube-scheduler-master.hanli.com 1/1 Running 13 58m
不是running状态,就说明出错了,通过查看描述kubectl describe pod kube-scheduler-master.hanli.com -n kube-system和日志 kubectl logs kube-scheduler-master.hanli.com -n kube-system来排错。
五、检查集群是否搭建成功
如果以下状态都正常,就说明搭建成功了。
节点状态
[root@master] ~$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
master.hanli.com Ready master 60m v1.13.2
slave1.hanli.com Ready 58m v1.13.2
slave2.hanli.com Ready 57m v1.13.2
slave3.hanli.com Ready 58m v1.13.2
组件状态
[root@master] ~$ kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-0 Healthy {"health": "true"}
服务账户
[root@master] ~$ kubectl get serviceaccount
NAME SECRETS AGE
default 1 44m
集群信息
[root@master] ~$ kubectl cluster-info
Kubernetes master is running at https://192.168.255.130:6443
KubeDNS is running at https://192.168.255.130:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'
验证dns功能
[root@master] ~$ kubectl run curl --image=radial/busyboxplus:curl -it
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
If you don't see a command prompt, try pressing enter.
[ root@curl-66959f6557-r4crd:/ ]$ nslookup kubernetes.default
Server: 10.96.0.10
Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.local
Name: kubernetes.default
Address 1: 10.96.0.1 kubernetes.default.svc.cluster.local
六、 测试集群功能是否正常
我们创建一个nginx的service试一下集群是否可用。
创建并运行deployment
[root@master] ~$ kubectl run nginx --replicas=2 --labels="run=load-balancer-example" --image=nginx --port=80
kubectl run --generator=deployment/apps.v1 is DEPRECATED and will be removed in a future version. Use kubectl run --generator=run-pod/v1 or kubectl create instead.
deployment.apps/nginx created
把服务通过nodeport的形式暴露出来
[root@master] ~$ kubectl expose deployment nginx --type=NodePort --name=example-service
service/example-service exposed
查看服务的详细信息
[root@master] ~$ kubectl describe service example-service
Name: example-service
Namespace: default
Labels: run=load-balancer-example
Annotations:
Selector: run=load-balancer-example
Type: NodePort
IP: 10.107.118.34
Port: 80/TCP
TargetPort: 80/TCP
NodePort: 30952/TCP
Endpoints: 10.244.1.4:80,10.244.3.2:80
Session Affinity: None
External Traffic Policy: Cluster
Events:
服务状态
[root@master] ~$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
example-service NodePort 10.107.118.34 80:30952/TCP 15s
kubernetes ClusterIP 10.96.0.1 443/TCP 100m
查看pod
[root@master] ~$ kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-58db6fdb58-5wt7p 1/1 Running 0 5m21s
nginx-58db6fdb58-7qkfn 1/1 Running 0 5m21s
访问服务ip
[root@master] ~$ curl 10.107.118.34:80
Welcome to nginx!
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
访问endpoint,与访问服务ip结果相同。这些 IP 只能在 Kubernetes Cluster 中的容器和节点访问。endpoint与service 之间有映射关系。service实际上是负载均衡着后端的endpoint。其原理是通过iptables实现的,这个不是本文内容,在此不谈。
curl 10.244.1.4:80
curl 10.244.3.2:80
访问节点ip,与访问集群ip相同,可以在集群外部访问。
curl 192.168.255.121:30952
curl 192.168.255.122:30952
curl 192.168.255.123:30952
整个部署过程是这样的:
① kubectl 发送部署请求到 API Server。
② API Server 通知 Controller Manager 创建一个 deployment 资源。
③ Scheduler 执行调度任务,将两个副本 Pod 分发到 node1 和 node2。
④ node1 和 node2 上的 kubelet 在各自的节点上创建并运行 Pod。
至此集群部署完成