k8s安装(抄的别人的)

#安装docker
•参考 http://www.cnblogs.com/freefei/p/9263998.html
yum install -y --setopt=obsoletes=0
docker-ce-17.12.1.ce-1.el7.centos.x86_64
docker-ce-selinux-17.12.1.ce-1.el7.centos.noarch

#开机启动
systemctl enable docker

#启动
systemctl start docker

配置

•关闭linux swap

第1步 编辑/etc/fstab

vim /etc/fstab (注释swap那行)

第2步 执行命令

echo “vm.swappiness = 0”>> /etc/sysctl.conf

第3步 执行命令

swapoff -a

•docker关闭selinux,增加"selinux-enabled"”": false
vim /etc/docker/daemon.json
{
“selinux-enabled”: false
}
systemctl daemon-reload
systemctl restart docker

•配置yum源
cat < /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
EOF

•编辑 kubeadm.yaml
apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
api:
advertiseAddress: “192.168.229.132”
networking:
podSubnet: “10.244.0.0/16”
kubernetesVersion: “v1.11.1”
imageRepository: “registry.cn-hangzhou.aliyuncs.com/google_containers”

•安装kubeadm kubectl kubelet
yum install -y kubeadm kubelet kubectl

初始化

•关闭防火墙
systemctl stop firewalld
systemctl disable firewalld

•配置 /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
vim /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

Note: This dropin only works with kubeadm and kubelet v1.11+

[Service]
Environment=“KUBELET_KUBECONFIG_ARGS=–bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf”
Environment=“KUBELET_CONFIG_ARGS=–config=/var/lib/kubelet/config.yaml”

This is a file that “kubeadm init” and “kubeadm join” generates at runtime, populating the KUBELET_KUBEADM_ARGS variable dynamically

EnvironmentFile=-/var/lib/kubelet/kubeadm-flags.env

This is a file that the user can use for overrides of the kubelet args as a last resort. Preferably, the user should use

the .NodeRegistration.KubeletExtraArgs object in the configuration files instead. KUBELET_EXTRA_ARGS should be sourced from this file.

EnvironmentFile=-/etc/sysconfig/kubelet
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS --cgroup-driver=cgroupfs --pod-infra-container-image=registry.cn-ha ngzhou.aliyuncs.com/google-containers/pause-amd64:3.0

最后一行加了 --cgroup-driver=cgroupfs --pod-infra-container-image=registry.cn-ha ngzhou.aliyuncs.com/google-containers/pause-amd64:3.0

•kubeadm init --config kubeadm.yaml

这个过程会下载一些镜像
◦失败重新init时请重置 kubeadm reset

◦可能会遇到的问题

  1. [preflight] Some fatal errors occurred:
    /proc/sys/net/bridge/bridge-nf-call-iptables contents are not set to 1
    解决方案:
    echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
    echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables

◦再执行以下命令
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown ( i d − u ) : (id -u): (idu):(id -g) $HOME/.kube/config

•安装网络

大多数网络代理,需要设置net.bridge.bridge-nf-call-iptables

cat < /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system

如果选择flannel作为pod网络代理,则执行

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

查看是否安装成功

kubectl get pod -n kube-system -o wide

•其它结点安装同主,只是不需要kubeadm init了

•其它结点加入cluster
kubeadm join 192.168.229.132:6443 --token 9bahe0.v8etmmcb2bo6djx4 --discovery-token-ca-cert-hash sha256:e577511a04d5c71daa2109fed13a8e0a7593092febbcef81479b9a08cb7b977f

•查看结点

显示结点列表

kubectl get nodes

示例

NAME STATUS ROLES AGE VERSION
k8s.master Ready master 1m v1.11.2
k8s.node1 Ready 35s v1.11.2

Master可以被调度

kubectl taint nodes --all node-role.kubernetes.io/k8s.master-
注:如果–all不认识,通过kubectl get nodes 获得主机名,比如:localhost.localdomain
kubectl taint nodes localhost.localdomain node-role.kubernetes.io/master-

•安装dashboard

◦认证准备

生成key

mkdir certs
openssl req -newkey rsa:4096 -nodes -sha256 -keyout certs/dashboard.key -x509 -days 365 -out certs/dashboard.crt

设置 kubernetes-dashboard.yaml 下面的注释地方替换成hostPath

volumes:

这里映射的目录需要不同的结点上也要存在,因为不确定dashboard会分到哪个节点上

  • name: kubernetes-dashboard-certs
    hostPath:
    path: /home/jcmiao/software/k8s/certs
    type: Directory

secret:

secretName: kubernetes-dashboard-certs

参考 https://blog.csdn.net/gunner2014/article/details/80966671

◦先下载镜像,因为需要墙,所以手动下载一下,再打tag

下载其它仓库的dashboard

docker pull siriuszg/kubernetes-dashboard-amd64:v1.10.0

打成官方的tag

docker tag siriuszg/kubernetes-dashboard-amd64:v1.10.0 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0

下载yaml文件

wget https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml

修改配置 添加type: Nodeport 和nodePort: 30001

参考最好几行

spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30001
selector:
k8s-app: kubernetes-dashboard

运行dashboard

kubectl create -f kubernetes-dashboard.yaml

•授予dashboard账户集群管理权限 vi kubernetes-dashboard-admin.rbac.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-admin
namespace: kube-system

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard-admin
labels:
k8s-app: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:

  • kind: ServiceAccount
    name: kubernetes-dashboard-admin
    namespace: kube-system
    ◦运行 bash
    kubectl apply -f kubernetes-dashboard-admin.rbac.yaml

•浏览器打开 https://192.168.229.139:30001

◦选择口令登录,获取口令,在master上运行
kubectl -n kube-system get secret | grep kubernetes-dashboard-admin|awk ‘{print “secret/”$1}’|xargs kubectl describe -n kube-system|grep token:|awk -F : ‘{print $2}’|xargs echo

输出

eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbi10b2tlbi01bW4ybiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjRlYWFlYWUxLWIyYjgtMTFlOC04ZTdiLTAwMGMyOWFkNWU2ZSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZC1hZG1pbiJ9.BRkFqz3NVAglqePlOeUf1hy8he2eUb7rQKJV9xX1qLHJ0mmtdw7FNQLreQxHNM17sYDXZa6q6h9KVCS-7E9tmpO8rXozFGUZpVfhVu6LHPLcMGL5DPG6hxWLKGW82nvlYlgm8wOQ6C_h2IkULNagKa1BkweUICsRanKQgCYnLCaaB52JlBeUUVtGo48zlGnyUxSZw8ovFEHY6EXq8xLtcG7XGI_mcbR9Lo4Bglx1yh_J0biX5Ta41s22udZuESLJ83GSF07ZwoMpoCzx1u5YWjigRjeJRtLtTuh_IyJl47pV42_-bc_aY3HUzqfbNAgDSVSCWD15aeHQbL5lS-QXTg

复制输出的令牌在浏览器登录

•为dashboard指定用户名密码
◦添加目录/etc/kubernetes/dashboard/ ◾添加文件dashboard-abac.json如下 bash
cat /etc/kubernetes/dashboard/dashboard-abac.json
{“apiVersion”: “abac.authorization.kubernetes.io/v1beta1”, “kind”: “Policy”, “spec”: {“user”: “admin”, “namespace”: “", “resource”: "”, “apiGroup”: “*”}}

◾添加文件dashboard.basic如下 bash
cat /etc/kubernetes/dashboard/dashboard.basic
123456,admin,1,system:authenticated

dashboard.basic文件格式: password,user,uid,“group1,group2,group3”

◦kubernetes-dashboard.yaml配置 ◾添加–authentication-mode=basic > 在- --auto-generate-certificates的后面

◦/etc/kubernetes/manifests/kube-apiserver.yaml bash

  • –authorization-mode=Node,RBAC,ABAC
  • –authorization-policy-file=/etc/kubernetes/dashboard/dashboard-abac.json
  • –basic-auth-file=/etc/kubernetes/dashboard/dashboard.basic
  • mountPath: /etc/kubernetes/dashboard
    name: k8s-dashboard
    readOnly: true
    • hostPath:

      # 这里映射的目录需要不同的结点上也要存在,因为不确定dashboard会分到哪个节点上

      path: /etc/kubernetes/dashboard
      type: DirectoryOrCreate
      name: k8s-dashboard

注意:执行kubeadm reset后,kube-apiserver.yaml会还原
新加ABAC以及以列出的,具体参考https://blog.csdn.net/mailjoin/article/details/79679853
◦删除旧的dashboard容器,重新运行 bash
kubectl delete -f kubernetes-dashboard.yaml
kubectl create -f kubernetes-dashboard.yaml

你可能感兴趣的:(k8s安装(抄的别人的))