kubeadm部署单master节点kubernetes集群

Kubeadm 是一个官方推荐部署kubernetes工具，降低了部署难度，提高效率它提供了 kubeadm init 以及 kubeadm join 这两个命令作为快速创建 kubernetes 集群的最佳实践。kubeadm 通过执行必要的操作来启动和运行一个最小可用的集群。它被故意设计为只关心启动集群，而不是准备节点环境的工作。同样的，诸如安装各种各样的可有可无的插件，也不再它的负责范围

安装前准备环境

OS：CentOS 7.6 x86_64

Container runtime：Docker-ce 19.03

Kubernetes：1.17.0

IP地址	主机名	角色	CPU	Memory
192.168.100.150	master	master	>=2c	>=2G
192.168.100.156	node01	node	>=2c	>=2G
192.168.100.157	node02	node	>=2c	>=2G

编辑Master和各node的/etc/hosts,使其能够使用主机名解析

1
2
3

192.168.100.150 master master 
192.168.100.156 node01 node01 
192.168.100.157 node02 node02

主机时间同步

1 2	$ systemctl enable chronyd.service $ systemctl status chronyd.service

关闭防火墙和Selinux服务

$ systemctl stop firewalld && systemctl disable firewalld 
$ setenforce 0  
$ vim /etc/selinux/config  
SELINUX=disabled

禁用Swap虚拟内存

1 2	$ swapoff -a $ sed -i 's/.swap./#&/' /etc/fstab

部署kubernetes集群

安装docker

官方安装教程

1
2
3

$ wget https://download.docker.com/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
$ yum install -y docker-ce
$ systemctl start docker && systemctl enable docker

配置docker镜像下载加速

vim /etc/docker/daemon.josn
{
  "registry-mirrors": [ "https://registry.docker-cn.com" ]
}
$ systemctl daemon-reload && systemctl restart docker

配置内核参数

将桥接的IPv4流量传递到iptables的链

$ cat > /etc/sysctl.d/k8s.conf <<EOF 
net.bridge.bridge-nf-call-ip6tables = 1 
net.bridge.bridge-nf-call-iptables = 1 
EOF 

$ sysctl --system

配置国内kuberneetes的yum源

由于网络原因，中国无法直接连接到google的网络，需要配置阿里云的yum源

$ cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] 
name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ 
enabled=1 
gpgcheck=1 
repo_gpgcheck=1 
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg 
EOF

安装kubectl、kubeadm、kubelet

1 2	[root@master ~]# yum install -y kubelet-1.17.0 kubeadm-1.17.0 kubectl-1.17.0 [root@node01 ~]# yum install -y kubelet-1.17.0 kubeadm-1.17.0

Kubelet负责与其他节点集群通信，并进行本节点Pod和容器生命周期的管理。

温馨提示：如果yum安装提示找不到镜像之类的，请yum makecache更新下yum源

1 2	$ systemctl daemon-reload $ systemctl enable kubelet #master和node节点设置开机自启动kubelet

初始化集群，在master上执行kubeadm init

[root@master ~]# kubeadm init --kubernetes-version=1.17.0 \
--apiserver-advertise-address=192.168.110.156. \
--image-repository registry.aliyuncs.com/google_containers \ 
--service-cidr=10.96.0.0/12 \ 
--pod-network-cidr=10.244.0.0/16  

//以下是执行完毕后输出的部分信息 Your Kubernetes control-plane has initialized successfully!  

To start using your cluster, you need to run the following as a regular user:  

	mkdir -p $HOME/.kube
	sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config  
	sudo chown $(id -u):$(id -g) $HOME/.kube/config  
	
You should now deploy a pod network to the cluster. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:  

	https://kubernetes.io/docs/concepts/cluster-administration/addons/  

Then you can join any number of worker nodes by running the following on each as root:  

kubeadm join 192.168.100.156:6443 --token cxins6.pxbyomo4pp1mnrao \   
	--discovery-token-ca-cert-hash sha256:35876ef6f2e5fe7eb5c7bb709dbd5e09d0e9e7d3adf41cbe708eec4fb586c8d6

–kubernetes-version 正在使用的Kubernetes程序组件的版本号，需要与kubelet 的版本号相同
–pod-network-cidr : Pod网络的地址范围，其值为CIDR格式的网络地址；使用flannel网络插件时，其默认地址为10.244.0.0/16
–service-cidr: Service 的网络地址范围，其值为CIDR格式的网络地址，默认地址为10.96.0.0/12
–apiserver-advertise-address : API server通告给其他组件的IP地址，一般应该为Master节点的 IP 地址，0.0.0.0 表示节点上所有可用的地址选择其中一个

使用systemd作为docker的cgroup driver可以确保服务器节点在资源紧张的情况更加稳定，因此这里修改各个节点上docker的cgroup driver为systemd。

#创建或修改/etc/docker/daemon.json： 
{ 
"exec-opts": ["native.cgroupdriver=systemd"] 
} 

#重启docker： $ systemctl restart docker 
#验证 docker info | grep Cgroup 
Cgroup Driver: systemd

配置kubectl工具

[root@K8sMaster ~]# mkdir -p /root/.kube 
[root@K8sMaster ~]# sudo cp /etc/kubernetes/admin.conf /root/.kube/config  [root@K8sMaster ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config

[root@K8sMaster ~]# kubectl get cs 
NAME                STATUS  MESSAGE       
ERROR etcd-0        Healthy  {"health":"true"}  
controller-manager  Healthy  ok         
scheduler           Healthy  ok

上面的STATUS结果为”Healthy”，表示组件处于健康状态，否则需要检查错误，如果排除不了问题，可以使用”kubeadm reset” 命令重置集群后重新初始化

1
2
3

[root@master ~]# kubectl get nodes 
NAME     STATUS    ROLES   AGE  VERSION 
master   NotReady  master  10m  v1.17.0

此时的Master处于”NotReady”（未就绪），因为集群中尚未安装网络插件，部署完网络后会ready,下面部署flannel

部署flannel网络

1	$ kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

下面看下集群的状态

1
2
3

$ kubectl get nodes 
NAME    STATUS  ROLES   AGE  VERSION 
master  Ready   master  17m  v1.17.0

集群处于Ready状态，node节点可以加入集群中

node节点加入集群

[root@node01 ~]# kubeadm join 192.168.100.156:6443 --token 2dt1wp.oudskargctjss991 \
--discovery-token-ca-cert-hash sha256:15aa0537c14d50df4fc9f45b6bdff0c30f8ef7114463a12e022e33619936266c  

//以下是部分输出信息  

This node has joined the cluster: * Certificate signing request was sent to apiserver and a response was received. * The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the control-plane to see this node join the cluster.

执行完毕后稍等一会，在主节点上查看集群的状态，到这里我们一个最简单的包含最核心组件的集群搭建完毕！

$ kubectl get nodes
NAME       STATUS   ROLES   AGE    VERSION 
master     Ready    master  34m    v1.17.0 
node01     Ready    <none>  6m14s  v1.17.0
node02     Ready    <none>  6m8s   v1.17.0

安装其他附件组件

查看集群的版本

1
2
3

$ kubectl version --short 
Client Version: v1.14.3 
Server Version: v1.14.3

安装dashboard，使用UI界面管理集n

下面的方式已经废弃，请参考新版本部署方式

kubernetes部署dashboard v2.0.3

创建dashboard的yaml文件

1	$ wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

修改部分配置文件内容

1	$ sed -i 's/k8s.gcr.io/loveone/g' kubernetes-dashboard.yaml $ sed -i '/targetPort:/a\ \ \ \ \ \ nodePort: 30001\n\ \ type: NodePort' kubernetes-dashboard.yaml

部署dashboard

[root@master ~]# kubectl create -f kubernetes-dashboard.yaml 
secret/kubernetes-dashboard-certs created 
serviceaccount/kubernetes-dashboard created 
role.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard-minimal created deployment.apps/kubernetes-dashboard created service/kubernetes-dashboard created

创建完成后，检查各服务运行状态

[root@master ~]# kubectl get deployment kubernetes-dashboard -n kube-system
NAME                   READY   UP-TO-DATE   AVAILABLE   AGE
kubernetes-dashboard   1/1     1            1           89s

[root@master ~]# kubectl get services -n kube-system
NAME                   TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                  AGE
kube-dns               ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP,9153/TCP   61m
kubernetes-dashboard   NodePort    10.102.234.209   <none>        443:30001/TCP            16m
[root@master ~]# netstat -ntlp|grep 30001
tcp6       0      0 :::30001                :::*                    LISTEN      17306/kube-proxy

使用Firefox浏览器输入Dashboard访问地址：https://192.168.100.156:30001

这里使用其他如chrome会提示安全问题无法连接！！！

查看访问Dashboard的token

[root@master ~]# kubectl create serviceaccount  dashboard-admin -n kube-system
serviceaccount/dashboard-admin created
[root@master ~]# kubectl create clusterrolebinding  dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created
[root@master ~]# kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
Name:         dashboard-admin-token-9hglw
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: dashboard-admin
              kubernetes.io/service-account.uid: 30efdd50-92bd-11e9-91e3-000c296bd9bc
 
Type:  kubernetes.io/service-account-token
 
Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tOWhnbHciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMzBlZmRkNTAtOTJiZC0xMWU5LTkxZTMtMDAwYzI5NmJkOWJjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.Bg9FOIr6RkepjCFav8tbkbTALGEX7bZJMNOYMOrYhFPhnhCs1RSxop7pCGBtdjug_Zpsb9UJ1WNWTsCInUlMYtSHkbaqVLZQEdIgD6jGb177CxIZBcCuxmxxQm0JMJdYjc6Y_1wYSTJGHtmWOHa70pUEcKo9I0LonTUfHCZh5PgS3JrwiTrsqe1RGyz3Jz4p9EIVPfcxmKCowSuapinOTezAWK2XAUhk2h5utXgag6RRnrPcHtlncZzW5fMTSfdAZv5xlaI64AM__qiwOTqyK-14xkda5nbk9DGhN5UwhkHzyvU6ApGT7A9Tr3j3QkMov9gEyVIDbSbBaSj8xBt36Q

重置集群初始状态

1	kubeadm reset

检查集群功能

测试DNS功能

1
2
3

kubectl  apply -f dns-test-busybox.yaml 

kubectl exec -ti busybox -- nslookup kubernetes.default

dns-test-busybox.yaml

apiVersion: v1
kind: Pod
metadata:
  name: busybox
  namespace: default
spec:
  containers:
  - image: busybox:1.28          #注意这个busybox的版本是个坑
    command:
      - sleep
      - "3600"
    imagePullPolicy: IfNotPresent
    name: busybox
  restartPolicy: Always

部署一个Nginx应用

1 2	[root@master ~]# kubectl apply -f nginx-deployment.yaml deployment.apps/nginx-deployment created

nginx-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.7.9
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  labels:
    app: nginx
spec:
  ports:
  - port: 88
    targetPort: 80
  selector:
    app: nginx
  type: NodePort