kubernets安装部署
kubernets安装部署
单节点安装kubernets
关闭防火墙
systemctl disable firewalld
systemctl stop firewalld
更新yum
yum -y update
安装etcd kubernetes
yum -y install etcd kubernetes
启动服务
启动etcd
systemctl start etcd
查看启动状态
systemctl status etcd
若启动成功,会显示 Active: active (running)
启动docker
systemctl start docker
若启动失败,vi /etc/sysconfig/selinux,把SELINUX=disabled
systemctl status docker
若启动成功,会显示 Active: active (running)
启动其他服务
启动
systemctl start kube-apiserver
systemctl start kube-controller-manager
systemctl start kube-scheduler
systemctl start kubelet
systemctl start kube-proxy
查看服务状态
systemctl status kube-apiserver
systemctl status kube-controller-manager
systemctl status kube-scheduler
systemctl status kubelet
systemctl status kube-proxy
列子1
配置 vim mytomcat-rc.yaml
apiVersion: v1
kind: ReplicationController
metadata:
name: mytomcat
spec:
replicas: 2
selector:
app: mytomcat
template:
metadata:
labels:
app: mytomcat
spec:
containers:
- name: mytomcat
image: tomcat:7-jre7
ports:
- containerPort: 8080
配置 vim mytomcat.svc.yaml
apiVersion: v1
kind: Service
metadata:
name: mytomcat
spec:
type: NodePort
ports:
- port: 8080
nodePort: 30001
selector:
app: mytomcat
创建
kubectl create -f mytomcat.rc.yaml
kubectl create -f mytomcat.svc.yaml
kubectl get pods时No resources found问题
1、vim /etc/kubernetes/apiserver
2、找到”KUBE_ADMISSION_CONTROL="-
admission_control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,Servi ceAccount,ResourceQuota",去掉ServiceAccount,保存退出。
3、systemctl restart kube-apiserver 重启此服务
集群安装kubernetes
节点规划
| 节点名称 | ip地址 |
|---|---|
| k8s-master01 | 192.168.183.10 |
| k8s-node01 | 192.168.183.20 |
| k8s-node02 | 192.168.183.21 |
| hub.hdj.com | 192.168.183.200 |
资源下载
后面用到的资源:docker-compose、harbor-offline-installer-v1.2.0.tgz、kubeadm-basic.images.tar.gz,我已经上传至百度云盘,有需要的朋友可以去下载。地址:
链接: https://pan.baidu.com/s/1JV1mEqz35o-1Skj1ETv2nQ 提取码: 9vcc
配置虚拟机
设置系统主机名以及 Host 文件的相互解析
配置hostname
#在每个点执行切换 node01、node02
hostnamectl set-hostname k8s-master01
配置hosts
192.168.183.10 k8s-master01
192.168.183.20 k8s-node01
192.168.183.21 k8s-node02
同步hosts
scp /etc/hosts root@k8s-node01:/etc/
scp /etc/hosts root@k8s-node02:/etc/
安装依赖包
yum install -y conntrack ntpdate ntp ipvsadm ipset jq iptables curl sysstat libseccomp wget vim net-tools git
设置防火墙为 Iptables 并设置空规则
systemctl stop firewalld && systemctl disable firewalld
yum -y install iptables-services && systemctl start iptables && systemctl enable iptables && iptables -F && service iptables save
关闭 swap分区
如果不关闭,安装会有警告。因为如果启动了,k8s可能会把pod启动到swap中,导致服务不稳定,所以一般都关闭。
swapoff -a && sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab
关闭 SELINUX
setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
调整内核参数,对于 K8S
cat > kubernetes.conf <<EOF
net.bridge.bridge-nf-call-iptables=1 #必须操作,开启网桥模式
net.bridge.bridge-nf-call-ip6tables=1 #必须操作,开启网桥模式
net.ipv4.ip_forward=1
net.ipv4.tcp_tw_recycle=0
vm.swappiness=0 # 禁止使用 swap 空间,只有当系统 OOM 时才允许使用它
vm.overcommit_memory=1 # 不检查物理内存是否够用
vm.panic_on_oom=0 # 开启 OOM
fs.inotify.max_user_instances=8192
fs.inotify.max_user_watches=1048576
fs.file-max=52706963
fs.nr_open=52706963
net.ipv6.conf.all.disable_ipv6=1 #必须操作,关闭IPv6
net.netfilter.nf_conntrack_max=2310720
EOF
cp kubernetes.conf /etc/sysctl.d/kubernetes.conf
sysctl -p /etc/sysctl.d/kubernetes.conf
调整系统时区
# 设置系统时区为 中国/上海
timedatectl set-timezone Asia/Shanghai
# 将当前的 UTC 时间写入硬件时钟
timedatectl set-local-rtc 0
# 重启依赖于系统时间的服务
systemctl restart rsyslog
systemctl restart crond
关闭系统不需要服务
systemctl stop postfix && systemctl disable postfix
设置 rsyslogd 和 systemd journald
mkdir /var/log/journal # 持久化保存日志的目录
mkdir /etc/systemd/journald.conf.d
cat > /etc/systemd/journald.conf.d/99-prophet.conf <升级系统内核为 4.44
CentOS 7.x 系统自带的 3.10.x 内核存在一些 Bugs,导致运行的 Docker、Kubernetes 不稳定,例如: rpm -Uvh
http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-3.el7.elrepo.noarch.rpm
# 安装完成后检查 /boot/grub2/grub.cfg 中对应内核 menuentry 中是否包含 initrd16 配置 ,如果没有,再安装一次!
cat /boot/grub2/grub.cfg|grep initrd16
yum --enablerepo=elrepo-kernel install -y kernel-lt
# 设置开机从新内核启动
grub2-set-default 'CentOS Linux (4.4.189-1.el7.elrepo.x86_64) 7 (Core)'
#重启
reboot
#查看内核
uname -r
kube-proxy开启ipvs的前置条件
modprobe br_netfilter
cat > /etc/sysconfig/modules/ipvs.modules <安装 Docker 软件
yum install -y yum-utils device-mapper-persistent-data lvm2
#导入docker ce的源
yum-config-manager \
--add-repo \
http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
#按照docker-ce
yum install -y docker-ce
# 创建 /etc/docker 目录
mkdir /etc/docker
# 配置 daemon.
cat > /etc/docker/daemon.json <安装 Kubeadm (主从配置)
上传kubeadm-basic.images.tar.gz。解压,并导入images。
tar -zxf kubeadm-basic.images.tar.gz
cat < loadimages.sh
#!/bin/bash
ls /root/kubeadm-basic.images > /tmp/image-list.txt
cd /root/kubeadm-basic.images
for i in $( cat /tmp/image-list.txt )
do
docker load -i $i #并导入images
done
rm -rf /tmp/image-list.txt
EOF
chmod a+x loadimages.sh
./loadimages.sh
安装kubeadm、kubectl、kubelet
cat < /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
yum -y install kubeadm-1.15.1 kubectl-1.15.1 kubelet-1.15.1
systemctl enable kubelet.service
初始化主节点
kubeadm config print init-defaults > kubeadm-config.yaml #获得到初始化配置文件
#vim kubeadm-config.yaml,修改下面配置
localAPIEndpoint:
advertiseAddress: 192.168.183.10
kubernetesVersion: v1.15.1
networking:
podSubnet: "10.244.0.0/16" #为了适配flannel的默认网络配置
serviceSubnet: 10.96.0.0/12
#增加下面配置
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
featureGates:
SupportIPVSProxyMode: true
mode: ipvs
初始化kubeadm
kubeadm init --config=kubeadm-config.yaml --experimental-upload-certs | tee kubeadm-init.log
按照kubeadm-init.log的提示执行下面操作:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
部署网络flannel
在k8s-master01上执行下面命令
#下载kube-flannel.yml
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
#vim kube-flannel.yml,修改所有的quay.io改为quay-mirror.qiniu.com
:%s/quay.io/quay-mirror.qiniu.com/g
#创建kube-flannel
kubectl create -f kube-flannel.yml
#查看kube-flannel运行状态
kubectl get pod -n kube-system #可以看到kube-flannel-ds-amd64-cx6lz 为 Running 状态
#ifconfig查看网卡,会多一个flannel.1
#此时获取node,状态为 Ready
kubectl get node
在k8s-node01/k8s-node02上执行下面命令,这条命令是kubeadm-init.log中最后一行提示要执行的命令
kubeadm join 192.168.183.10:6443 --token abcdef.0123456789abcdef \
--discovery-token-ca-cert-hash sha256:f2a9b77cbe8bdaa9dd8cdcd414fb4a9d09059dfb33ced7f13fc2218f425b6273
执行之后,下面命令查看node,可以看到k8s-node01、k8s-node02都已经是ready状态了。
kubectl get node
稍等片刻,查看pod,现在就能看到3个flannel pod在运行,并且状态为Running
kubectl get pod -n kube-system
harbor安装
虚拟机配置:
配置主机名为hub.hdj.com
修改hosts,并同步hosts
安装docker
具体命令参照上面
安装完成之后,需要在每个机器上修改/etc/docker/daemon.json ,增加一行"insecure-registries": [“https://hub.hdj.com”]来忽略不合法的ssl证书异常,即每个机器上的daemon.json为:
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"insecure-registries": ["https://hub.hdj.com"]
}
制作ssl证书
生成公钥私钥
openssl genrsa -des3 -out server.key 2048 #生成秘钥
openssl req -new -key server.key -out server.csr #生成公钥
#具体显示如下
[root@hub cert]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:lz
Locality Name (eg, city) [Default City]:lz
Organization Name (eg, company) [Default Company Ltd]:hzsun
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:hub.hdj.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@hub cert]# ls
server.csr server.key
生成证书
#备份秘钥
cp server.key server.key.org
#去掉密码
openssl rsa -in server.key.org -out server.key
#生成证书
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
#给证书赋予执行权限
chmod a+x *
安装harbor
上传docker-compose
上传harbor-offline-installer-v1.2.0.tgz
mv docker-compose /usr/local/bin/
chmod a+x /usr/local/bin/docker-compose
tar -zxf harbor-offline-installer-v1.2.0.tgz
mv harbor /usr/local/
cd /usr/local/harbor/
vim harbor.cfg #修改下面两个参数
hostname = hub.hdj.com
ui_url_protocol = https
#创建/data/cert目录,把之前做好的证书放到这个目录中。
#安装harbor
./install.sh
#等待安装完成之后查看docker进程
docker ps -a
安装成功之后,就可以打开地址:https://hub.hdj.com/
输入用户名admin,密码Harbor12345,即可进入harbor。
上传测试Registry
#登录harbor
docker login https://hub.hdj.com
#拉一个Nginx
docker pull nginx
#重命名为自己的镜像
docker tag nginx hub.hdj.com/library/nginx:v1
#将重命名的自己的镜像推到harbor中
docker push hub.hdj.com/library/nginx:v1
#推送成功之后,可以在https://hub.hdj.com/中查看到刚才上传的镜像
使用k8s测试拉取上传的镜像
删除刚才拉下来的Nginx
docker rmr -f xxxx #xxxw为IMAGE ID
在k8s-master01上运行,拉取hub.hdj.com/library/nginx:v1
kubectl run nginx-deployment --image=hub.hdj.com/library/nginx:v1 --port=80 --replicas=1
#--replicas 配置副本数
查看状态
[root@k8s-master01 ~]# kubectl get deployment #查看deployment
NAME READY UP-TO-DATE AVAILABLE AGE
nginx-deployment 1/1 1 1 102s
[root@k8s-master01 ~]# kubectl get rs #查看rs
NAME DESIRED CURRENT READY AGE
nginx-deployment-546f74fbcd 1 1 1 109s
[root@k8s-master01 ~]# kubectl get pod 查看 pod
NAME READY STATUS RESTARTS AGE
nginx-deployment-546f74fbcd-v6w94 1/1 Running 0 2m12s
[root@k8s-master01 ~]# kubectl get pod -o wide #查看pod 更多信息,显示这个pod在node02上运行
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-deployment-546f74fbcd-v6w94 1/1 Running 0 2m21s 10.244.2.2 k8s-node02
在k8s-node02上docker ps查看,可以看到hub.hdj.com/library/nginx的镜像在运行中。
在k8s-master01、k8s-node01、k8s-node02这三台机器上任何一台上面访问10.244.2.2都可以获得到Nginx的欢迎页面。命令:
curl 10.244.2.2
测试k8s的pod副本数维护
删除已启动的pod:nginx-deployment-546f74fbcd-v6w94
再查看pod,发现又重新启动了一个pod。
操作如下:
[root@k8s-master01 flannel]# kubectl delete pod nginx-deployment-546f74fbcd-v6w94
pod "nginx-deployment-546f74fbcd-v6w94" deleted
[root@k8s-master01 flannel]# kubectl get pod
NAME READY STATUS RESTARTS AGE
nginx-deployment-546f74fbcd-bsqx6 1/1 Running 0 20s
修改副本数为3,然后查看pod,立马可以看到3个pod。并且是不同的每个node上都有一个。
操作如下:
[root@k8s-master01 flannel]# kubectl scale --replicas=3 deployment/nginx-deployment
deployment.extensions/nginx-deployment scaled
[root@k8s-master01 flannel]# kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-deployment-546f74fbcd-bsqx6 1/1 Running 0 7m31s
nginx-deployment-546f74fbcd-c86kx 1/1 Running 0 13s
nginx-deployment-546f74fbcd-pq6b7 1/1 Running 0 13s
[root@k8s-master01 flannel]# kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-deployment-546f74fbcd-bsqx6 1/1 Running 0 7m42s 10.244.2.3 k8s-node02
nginx-deployment-546f74fbcd-c86kx 1/1 Running 0 24s 10.244.1.3 k8s-node01
nginx-deployment-546f74fbcd-pq6b7 1/1 Running 0 24s 10.244.2.4 k8s-node02
此时拿到了有3个pod,访问是需要加一个expose。具体操作如下:
#可以先使用kubectl expose --help查看一下具体操作命令。
[root@k8s-master01 flannel]# kubectl expose deployment nginx-deployment --port=30000 --target-port=80 #给deployment创建expose ,将pod的80端口映射成expose的30000端口
service/nginx-deployment exposed
[root@k8s-master01 flannel]# kubectl get svc #查看svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 443/TCP 52m
nginx-deployment ClusterIP 10.100.140.229 30000/TCP 13s
[root@k8s-master01 flannel]# curl 10.100.140.229:30000 #通过SVC暴露的端口请求服务
[root@k8s-master01 flannel]# ipvsadm -Ln |grep 10.100.140.229
TCP 10.100.140.229:30000 rr
此时服务只能在k8s-master01、k8s-node01、k8s-node02这三台机器访问10.100.140.229:30000。此时想要外部可以访问这个expose,需要修改SVC的type为NodePort。操作如下:
#打开nginx-deployment的配置,修改27行,type的值为NodePort
kubectl edit svc nginx-deployment
#查看svc,此时可以看到type改为了NodePort,port,多了一个,即为外部暴露的端口。
kubectl get svc
操作表现:
[root@k8s-master01 flannel]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 443/TCP 76m
nginx-deployment NodePort 10.100.140.229 30000:30300/TCP 23m
在外部可以使用任何一个节点的IP加30300访问到这个服务,每次请求会轮询访问3个pod。
http://192.168.183.10:30300
http://192.168.183.20:30300
http://192.168.183.21:30300
至此kubernetes集群安装完成
采坑列表
coredns-xxxx 状态为:CrashLoopBackOff
问题描述:之前所有pod状态都为Running,将虚拟机一个一个挂起之后,再启动虚拟机之后,coredns-xxxx 的状态变为:CrashLoopBackOff。我的解决方法是:重新初始化kubeadm,具体操作如下:
在k8s-master01上执行:
#重置kubeadm
kubeadm reset
#依据提示清空iptables、ipvs
iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X
ipvsadm --clear
#重新初始化kubeadm
kubeadm init --config=kubeadm-config.yaml --experimental-upload-certs | tee kubeadm-init.log
#重置$HOME/.kube 文件夹,必须得使用下面命令重置,否则会报错:Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
rm -rf $HOME/.kube
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
#重新创建flannel
kubectl create -f kube-flannel.yml
在k8s-node01、k8s-node02上面执行下面语句重新注册node
#重置kubeadm
kubeadm reset
#依据提示清空iptables、ipvs
iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X
ipvsadm --clear
#重新注册node
kubeadm join 192.168.183.10:6443 --token abcdef.0123456789abcdef --discovery-token-ca-cert-hash sha256:b7c6480525639867f254bb4664b50fd2fa948d34a98cde6be7b8f21b6752d3f5
再查看node、pod状态均正常为Running。
访问不到其他节点的pod
现象:访问不到其他节点的pod发布的服务。
kubectl get pod -n kube-system 查看pod,所有状态都是Running。但是ifconfig查不到flannel.1的link。
解决办法:所有节点重置kubeadm。清空iptables、ipvs。重启所有节点。再次重新初始化kubeadm、重新创建flannel。即可解决。
访问harbor返回502问题
重启docker、重启harbor即可。
systemctl restart docker
docker-compose start