1.服务器虚拟机准备(虚拟机要能上网)
192.168.1.11 cpu >=2c Mem >=2G hostname master /dev/vda1 50G
192.168.1.12 cpu >=2c Mem >=2G hostname node /dev/vda1 50G
2.软件版本
系统类型 Kubernetes版本 docker版本 kubeadm版本 kubectl版本 kubelet版本
CentOS7.5.1804 v1.13 18.06.1-ce v1.13 v1.13 v1.13
3.环境初始化操作
1.配置hostname
hostnamectl set-hostname master hostnamectl set-hostname node
2.配置/etc/hosts(所有节点都要执行)
127.0.0.1 localhost localhost.localdomain
localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain
localhost6 localhost6.localdomain6
192.168.1.11 master
192.168.1.12 node
3.关闭防火墙、Selinux、swap
# 停防火墙 systemctl stop firewalld systemctl disable firewalld 关闭Selinux setenforce 0 sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config # 关闭Swap swapoff -a sed -i 's/.*swap.*/#&/' /etc/fstab # 加载br_netfilter modprobe br_netfilter
4.配置内核参数 /etc/sysctl.d/k8s.conf
cat > /etc/sysctl.d/k8s.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
# 生效文件 sysctl -p /etc/sysctl.d/k8s.conf
5.修改Linux 资源配置文件,调高ulimit最大打开数和systemctl管理的服务文件最大打开数
echo "* soft nofile 655360" >> /etc/security/limits.conf echo "* hard nofile 655360" >> /etc/security/limits.conf echo "* soft nproc 655360" >> /etc/security/limits.conf echo "* hard nproc 655360" >> /etc/security/limits.conf echo "* soft memlock unlimited" >> /etc/security/limits.conf echo "* hard memlock unlimited" >> /etc/security/limits.conf echo "DefaultLimitNOFILE=1024000" >> /etc/systemd/system.conf echo "DefaultLimitNPROC=1024000" >> /etc/systemd/system.conf
6.配置国内tencent yum源、epel源、Kubernetes源地址
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.cloud.tencent.com/repo/centos7_base.repo wget -O /etc/yum.repos.d/epel.repo http://mirrors.cloud.tencent.com/repo/epel-7.repo yum clean all && yum makecache #配置国内Kubernetes源地址 cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF
8.安装依赖包
yum install -y conntrack ipvsadm ipset jq sysstat curl iptables libseccomp bash-completion yum-utils device-mapper-persistent-data lvm2 net-tools conntrack-tools vim libtool-ltdl
9.配置时间同步,所有节点都需要
yum install chrony –y systemctl enable chronyd.service && systemctl start chronyd.service systemctl status chronyd.service chronyc sources
#物理机上写有时间服务器或者网络同步时间
10.配置节点间ssh互信
配置ssh互信,那么节点之间就能无密访问,方便日后执行自动化部署
ssh-keygen
ssh-copy-id node # 到master上拷贝公钥到其他节点,这里需要输入 yes和密码
11.初始化环境配置检查
- 重启,做完以上所有操作,最好reboot重启一遍
- ping 每个节点hostname 看是否能ping通
- ssh 对方hostname看互信是否无密码访问成功
- 执行date命令查看每个节点时间是否正确
- 执行 ulimit -Hn 看下最大文件打开数是否是655360
- cat /etc/sysconfig/selinux |grep disabled 查看下每个节点selinux是否都是disabled状态
安装docker ,所有节点都需要装
1.设置docker yum源
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo (如果node节点不能设置,直接从master复制到节点)
2.安装docker
# 列出docker 版本信息
yum list docker-ce --showduplicates | sort -r
# 安装docker 指定18.06.1
yum install -y docker-ce-18.06.1.ce-3.el7
systemctl restart docker
# 配置镜像加速器和docker数据存放路径 (这步node可以不写)
tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://q2hy3fzi.mirror.aliyuncs.com"],
"graph": "/tol/docker-data"
}
EOF
3.启动docker
systemctl daemon-reload systemctl restart docker systemctl enable docker systemctl status docker # docker --version
安装kubeadm、kubelet、kubectl,所有节点
• kubeadm: 部署集群用的命令
• kubelet: 在集群中每台机器上都要运行的组件,负责管理pod、容器的生命周期
• kubectl: 集群管理工具
安装工具
yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes systemctl enable kubelet && systemctl start kubelet
镜像下载准备
1.初始化获取要下载的镜像列表
# 查看依赖需要安装的镜像列表 kubeadm config images list # 生成默认kubeadm.conf文件 kubeadm config print init-defaults > kubeadm.conf
2.绕过墙下载镜像的方法
sed -i "s/imageRepository: .*/imageRepository: registry.aliyuncs.com/google_containers/g" kubeadm.conf
3.指定kubeadm安装的Kubernetes版本
sed -i "s/kubernetesVersion: .*/kubernetesVersion: v1.13.0/g" kubeadm.conf
4.下载需要的镜像
kubeadm config images pull --config kubeadm.conf docker images
5.docker tag 镜像
docker tag registry.aliyuncs.com/google_containers/kube-apiserver:v1.13.0 k8s.gcr.io/kube-apiserver:v1.13.0 docker tag registry.aliyuncs.com/google_containers/kube-controller-manager:v1.13.0 k8s.gcr.io/kube-controller-manager:v1.13.0 docker tag registry.aliyuncs.com/google_containers/kube-scheduler:v1.13.0 k8s.gcr.io/kube-scheduler:v1.13.0 docker tag registry.aliyuncs.com/google_containers/kube-proxy:v1.13.0 k8s.gcr.io/kube-proxy:v1.13.0
docker tag registry.aliyuncs.com/google_containers/pause:3.1 k8s.gcr.io/pause:3.1
docker tag registry.aliyuncs.com/google_containers/etcd:3.2.24 k8s.gcr.io/etcd:3.2.24
docker tag registry.aliyuncs.com/google_containers/coredns:1.2.6 k8s.gcr.io/coredns:1.2.6
6.docker rmi 清理下载的镜像
docker rmi registry.aliyuncs.com/google_containers/kube-apiserver:v1.13.0 docker rmi registry.aliyuncs.com/google_containers/kube-controller-manager:v1.13.0 docker rmi registry.aliyuncs.com/google_containers/kube-scheduler:v1.13.0 docker rmi registry.aliyuncs.com/google_containers/kube-proxy:v1.13.0 docker rmi registry.aliyuncs.com/google_containers/pause:3.1 docker rmi registry.aliyuncs.com/google_containers/etcd:3.2.24 docker rmi registry.aliyuncs.com/google_containers/coredns:1.2.6
部署master节点
1.kubeadm init 初始化master节点
# 定义POD的网段为: 172.22.0.0/16 ,api server地址就是master本机IP地址 kubeadm init --kubernetes-version=v1.13.0 --pod-network-cidr=172.22.0.0/16 --apiserver-advertise-address=192.168.1.11 ls /etc/kubernetes/
这个我们记录下,到时候添加node的时候要用到。
# kubeadm reset (初始化,如果没有记录之前的序列号)
# kubeadm init --kubernetes-version=v1.13.0 --pod-network-cidr=172.22.0.0/16 --apiserver-advertise-address=192.168.1.11
# 记录下面的信息
kubeadm join 192.168.1.11:6443 --token iazwtj.v3ajyq9kyqftg3et --discovery-token-ca-cert-hash sha256:27aaefd2afc4e75fd34c31365abd3a7357bb4bba7552056bb4a9695fcde14ef5
2.验证测试
# 配置kubectl命令 mkdir -p /root/.kube cp /etc/kubernetes/admin.conf /root/.kube/config # 执行获取pods列表命令,查看相关状态 kubectl get pods --all-namespaces
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
kubectl apply -f kube-flannel.yml
#kube-system coredns-86c58d9df4-jf29m 1/1 Running 不是running 出错的时候要下载这个flannel.yml
# 查看集群的健康状态 kubectl get cs
部署calico网络
1.下载calico 官方镜像
docker pull calico/node:v3.1.4
docker pull calico/cni:v3.1.4
docker pull calico/typha:v3.1.4
2.tag 这三个calico镜像
docker tag calico/node:v3.1.4 quay.io/calico/node:v3.1.4 docker tag calico/cni:v3.1.4 quay.io/calico/cni:v3.1.4 docker tag calico/typha:v3.1.4 quay.io/calico/typha:v3.1.4
3.删除原有镜像
docker rmi calico/node:v3.1.4 docker rmi calico/cni:v3.1.4 docker rmi calico/typha:v3.1.4
4.部署calico
curl https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml -O kubectl apply -f rbac-kdd.yaml
curl https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/kubernetes-datastore/policy-only/1.7/calico.yaml -O #把ConfigMap 下的 typha_service_name 值由none变成 calico-typha sed -i 's/typha_service_name: "none"/typha_service_name: "calico-typha"/g' calico.yaml #设置 Deployment 类目的 spec 下的replicas值为1 sed -i 's/replicas: 0/replicas: 1/g' calico.yaml #找到CALICO_IPV4POOL_CIDR,然后值修改成之前定义好的POD网段,我这里是172.22.0.0/16 sed -i 's/192.168.0.0/172.22.0.0/g' calico.yaml #把 CALICO_NETWORKING_BACKEND 值设置为 bird ,这个值是设置BGP网络后端模式
sed -i '/name: CALICO_NETWORKING_BACKEND/{n;s/value: "none"/value: "bird"/;}' calico.yaml
部署calico.yaml文件
上面参数设置调优完毕,我们执行下面命令彻底部署calico
kubectl apply -f calico.yaml
5.部署calico.yaml
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml kubectl apply -f kube-flannel.yml
#kube-system coredns-86c58d9df4-jf29m 1/1 Running 出错的时候要下载这个flannel.yml
#前面写了就不用再输入
kubectl get pods --all-namespaces
部署node节点
1.下载镜像
docker pull registry.aliyuncs.com/google_containers/kube-proxy:v1.13.0 docker pull registry.aliyuncs.com/google_containers/pause:3.1 docker pull calico/node:v3.1.4 docker pull calico/cni:v3.1.4 docker pull calico/typha:v3.1.4 docker tag registry.aliyuncs.com/google_containers/kube-proxy:v1.13.0 k8s.gcr.io/kube-proxy:v1.13.0 docker tag registry.aliyuncs.com/google_containers/pause:3.1 k8s.gcr.io/pause:3.1 docker tag calico/node:v3.1.4 quay.io/calico/node:v3.1.4 docker tag calico/cni:v3.1.4 quay.io/calico/cni:v3.1.4 docker tag calico/typha:v3.1.4 quay.io/calico/typha:v3.1.4 docker rmi registry.aliyuncs.com/google_containers/kube-proxy:v1.13.0 docker rmi registry.aliyuncs.com/google_containers/pause:3.1 docker rmi calico/node:v3.1.4 docker rmi calico/cni:v3.1.4 docker rmi calico/typha:v3.1.4
2.把node加入到集群
kubeadm join 192.168.1.11:6443 --token iazwtj.v3ajyq9kyqftg3et --discovery-token-ca-cert-hash sha256:27aaefd2afc4e75fd34c31365abd3a7357bb4bba7552056bb4a9695fcde14ef5
3.在master上查看
kubectl get nodes
部署dashboard
1. 生成私钥和证书签名请求
mkdir -p /etc/kubernetes/certs cd /etc/kubernetes/certs openssl genrsa -des3 -passout pass:x -out dashboard.pass.key 2048 openssl rsa -passin pass:x -in dashboard.pass.key -out dashboard.key # 删除刚才生成的dashboard.pass.key rm -rf dashboard.pass.key openssl req -new -key dashboard.key -out dashboard.csr # 生成SSL证书 openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt # 创建secret
2.创建secret
kubectl create secret generic kubernetes-dashboard-certs --from-file=/etc/kubernetes/certs -n kube-system
3.下载dashboard镜像、tag镜像(在全部节点上)
docker pull registry.cn-hangzhou.aliyuncs.com/kubernete/kubernetes-dashboard-amd64:v1.10.0 docker tag registry.cn-hangzhou.aliyuncs.com/kubernete/kubernetes-dashboard-amd64:v1.10.0 k8s.gcr.io/kubernetes-dashboard:v1.10.0 docker rmi registry.cn-hangzhou.aliyuncs.com/kubernete/kubernetes-dashboard-amd64:v1.10.0
4.下载 kubernetes-dashboard.yaml 部署文件(在master上执行)
#apiVersion: v1
#kind: Secret
#metadata:
# labels:
# k8s-app: kubernetes-dashboard
# name: kubernetes-dashboard-certs
# namespace: kube-system
#type: Opaque
#---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system
---
kind: Deployment
apiVersion: apps/v1beta2
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: k8s.gcr.io/kubernetes-dashboard:v1.10.0
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
ports:
- port: 443
targetPort: 8443
nodePort: 30005
type : NodePort
selector:
k8s-app: kubernetes-dashboard
#注意路径在/root下 自己创建kubernetes-dashboard.yaml
5 创建dashboard的pod
kubectl create -f kubernetes-dashboard.yaml
#如果有错,就用
kubectl delete -f kubernetes-dashboard.yaml
再检查
6.查看服务器运行状态
kubectl get deployment kubernetes-dashboard -n kube-system kubectl --namespace kube-system get pods -o wide
kubectl get services kubernetes-dashboard -n kube-system netstat -ntlp|grep 30005
7. Dashboard BUG处理
vim kube-dashboard-access.yaml
#代码如下
执行让kube-dashboard-access.yaml 生效
kubectl create -f kube-dashboard-access.yaml
最后用https://192.168.1.11:30005访问
--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard-minimal namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kube-system ---