8-17 22 views
说明
要说最简单的安装方法肯定是yum install kubernetes命令完成Kubernetes集群的安装,但是这种方式安装后需要修改各组件的启动参数才能完成Kubernetes集群的配置,整个过程是比较复杂的,也容易出错,因此从Kubernetes v1.4版本开始引入了命令行工具kubeadm,致力于简化集群的安装和解决Kubernetes集群的高可用问题。
环境要求
软硬件: 4 Core/16 GB(Master),Node根据需要运行的容器数数量进行配置
OS:基于x86_64架构的各种Linux发行版本,包括RHEL、CentOS、Fedora、Ubuntu等,Kernel应在3.10及以上
初始配置
关闭selinux和firewall
|
1 2 |
sed -i '/SELINUX/s/enforcing/disabled/g' /etc/selinux/config systemctl disable firewalld && systemctl stop firewalld |
停用swap
vim /etc/fstab
|
1 2 3 4 5 6 7 8 9 10 |
# # /etc/fstab # Created by anaconda on Sun Aug 13 11:56:27 2017 # # Accessible filesystems, by reference, are maintained under '/dev/disk' # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # /dev/mapper/centos-root / xfs defaults 0 0 UUID=8732eda0-853b-448e-9a66-ec53190eb70d /boot xfs defaults 0 0 #/dev/mapper/centos-swap swap swap defaults 0 0 |
重启系统
|
1 |
reboot |
在系统重启完成后确认以上设置
|
1 2 3 4 5 6 7 8 9 10 11 |
[root@kube-master ~]# sestatus SELinux status: disabled [root@kube-master ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1) [root@kube-master ~]# free -m total used free shared buff/cache available Mem: 16030 652 13365 20 2012 14978 Swap: 0 0 0 |
安装kubeadm和相关工具
配置yum源
官方源的地址是http://yum.kubernetes.io/repos/kubernetes-el7-x86_64,国内无法访问,因为使用了国内阿里的yum源https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64。
|
1 2 3 4 5 6 7 |
tee /etc/yum.repos.d/kube.repo <<EOF [kube] name=Aliyun Repository baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=0 EOF |
安装
|
1 2 |
yum makecache yum -y install docker kubeadm kubelet kubectl kubernetes-cni |
启动服务
|
1 2 |
systemctl enable docker && systemctl start docker systemctl enable kubelet && systemctl start kubelet |
安装Kubernetes群集
下载相关镜像
结合自己安装的kubeadm版本到kubeadm的官方网站上去查看对应的镜像版本,kubeadm官方地址https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-init/按“Ctrl + f”搜索“internet”,会看到这样一张表,不过也要结合自己当前已经安装的kubelet的版本来看,kube-apiserver、kube-scheduler、kube-controller、kube-controller-manager、kube-proxy这几个kubernetes组件的版本要跟已安装的kubelet的版本保持一致
由于默认是从gcr.io进行下载的,国内无法访问gcr.io的网络环境,不过docker hub上有google mirror可以使用,地址为https://hub.docker.com/r/mirrorgooglecontainers/
手动下载Kubernetes的相关镜像后将镜像名改为k8s.gcr.io开头的名字,以供kubeadm使用。
查看kubelet版本
|
1 2 |
[root@kube-master ~]# kubelet --version Kubernetes v1.11.2 |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
docker pull mirrorgooglecontainers/pause:3.1 docker tag mirrorgooglecontainers/pause:3.1 k8s.gcr.io/pause:3.1 docker pull mirrorgooglecontainers/pause-amd64:3.1 docker tag mirrorgooglecontainers/pause-amd64:3.1 k8s.gcr.io/pause-amd64:3.1 docker pull mirrorgooglecontainers/etcd-amd64:3.2.18 docker tag mirrorgooglecontainers/etcd-amd64:3.2.18 k8s.gcr.io/etcd-amd64:3.2.18 docker pull coredns/coredns:1.1.3 docker tag coredns/coredns:1.1.3 k8s.gcr.io/coredns:1.1.3 docker pull mirrorgooglecontainers/kube-apiserver-amd64:v1.11.2 docker tag mirrorgooglecontainers/kube-apiserver-amd64:v1.11.2 k8s.gcr.io/kube-apiserver-amd64:v1.11.2 docker pull mirrorgooglecontainers/kube-scheduler-amd64:v1.11.2 docker tag mirrorgooglecontainers/kube-scheduler-amd64:v1.11.2 k8s.gcr.io/kube-scheduler-amd64:v1.11.2 docker pull mirrorgooglecontainers/kube-controller-manager-amd64:v1.11.2 docker tag mirrorgooglecontainers/kube-controller-manager-amd64:v1.11.2 k8s.gcr.io/kube-controller-manager-amd64:v1.11.2 docker pull mirrorgooglecontainers/kube-proxy-amd64:v1.11.2 docker tag mirrorgooglecontainers/kube-proxy-amd64:v1.11.2 k8s.gcr.io/kube-proxy-amd64:v1.11.2 docker pull mirrorgooglecontainers/k8s-dns-kube-dns-amd64:1.14.5 docker tag mirrorgooglecontainers/k8s-dns-kube-dns-amd64:1.14.5 k8s.gcr.io/k8s-dns-kube-dns-amd64:1.14.5 docker pull mirrorgooglecontainers/k8s-dns-dnsmasq-nanny-amd64:1.14.5 docker tag mirrorgooglecontainers/k8s-dns-dnsmasq-nanny-amd64:1.14.5 k8s.gcr.io/k8s-dns-dnsmasq-nanny-amd64:1.14.5 docker pull mirrorgooglecontainers/k8s-dns-sidecar-amd64:1.14.5 docker tag mirrorgooglecontainers/k8s-dns-sidecar-amd64:1.14.5 k8s.gcr.io/k8s-dns-sidecar-amd64:1.14.5 docker pull mirrorgooglecontainers/kube-discovery-amd64:1.0 docker tag mirrorgooglecontainers/kube-discovery-amd64:1.0 k8s.gcr.io/kube-discovery-amd64:1.0 docker pull mirrorgooglecontainers/exechealthz-amd64:1.2 docker tag mirrorgooglecontainers/exechealthz-amd64:1.2 k8s.gcr.io/exechealthz-amd64:1.2 docker pull mirrorgooglecontainers/dnsmasq-metrics-amd64:1.0 docker tag mirrorgooglecontainers/dnsmasq-metrics-amd64:1.0 k8s.gcr.io/dnsmasq-metrics-amd64:1.0 |
运行kubeadm init安装Master
|
1 |
kubeadm init --kubernetes-version=1.11.2 |
等待一段时间后,Kubernetes Master节点安装成功,显示如下信息:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
[bootstraptoken] using token: o10qr3.plg1wh2ecm2qpuvg [bootstraptoken] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials [bootstraptoken] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token [bootstraptoken] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster [bootstraptoken] creating the "cluster-info" ConfigMap in the "kube-public" namespace [addons] Applied essential addon: CoreDNS [addons] Applied essential addon: kube-proxy Your Kubernetes master has initialized successfully! To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config You should now deploy a pod network to the cluster. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/ You can now join any number of machines by running the following on each node as root: kubeadm join 10.9.54.20:6443 --token x2krg1.8e4lz8i3yn0qku3h --discovery-token-ca-cert-hash sha256:5d94c96130fc6e167281a034a2ba2b37d02ade133417278cc8eae7f6ffd0ca4d |
按照提示,执行下面的命令复制配置文件到普通用户的home目录下:
|
1 2 3 |
mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config |
除了上面的配置信息外,这里有一个非常重要的信息,node节点加入群集时的认证信息,注意token的时效只有24个小时
|
1 |
kubeadm join 10.9.54.20:6443 --token x2krg1.8e4lz8i3yn0qku3h --discovery-token-ca-cert-hash sha256:5d94c96130fc6e167281a034a2ba2b37d02ade133417278cc8eae7f6ffd0ca4d |
token管理
查看token信息
|
1 2 3 |
[root@k8s-master ~]# kubeadm token list TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS x2krg1.8e4lz8i3yn0qku3h 1h 2018-08-22T07:12:40+08:00 authentication,signing The default bootstrap token generated by 'kubeadm init'. system:bootstrappers:kubeadm:default-node-token |
创建新的token
|
1 2 3 4 5 6 7 |
[root@k8s-master ~]# kubeadm token create y07a74.sl4z374svoy9tbj0 [root@k8s-master ~]# kubeadm token list TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS x2krg1.8e4lz8i3yn0qku3h 54m 2018-08-22T07:12:40+08:00 authentication,signing The default bootstrap token generated by 'kubeadm init'. system:bootstrappers:kubeadm:default-node-token y07a74.sl4z374svoy9tbj0 23h 2018-08-23T06:18:36+08:00 authentication,signing <none> system:bootstrappers:kubeadm:default-node-token |
创建一个永不过期的token
|
1 2 3 4 5 6 7 8 9 |
[root@k8s-master ~]# kubeadm token create --ttl 0 6ln4p7.dmtfatg4nzstl6t6 [root@k8s-master ~]# kubeadm token list TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS 6ln4p7.dmtfatg4nzstl6t6 <forever> <never> authentication,signing <none> system:bootstrappers:kubeadm:default-node-token x2krg1.8e4lz8i3yn0qku3h 53m 2018-08-22T07:12:40+08:00 authentication,signing The default bootstrap token generated by 'kubeadm init'. system:bootstrappers:kubeadm:default-node-token y07a74.sl4z374svoy9tbj0 23h 2018-08-23T06:18:36+08:00 authentication,signing <none> system:bootstrappers:kubeadm:default-node-token |
获取token hash
除了上面的token外,node在加入集群时还需要master的token hash值 ,采用的是sha256算法
|
1 |
kubeadm join 10.9.54.20:6443 --token x2krg1.8e4lz8i3yn0qku3h --discovery-token-ca-cert-hash sha256:5d94c96130fc6e167281a034a2ba2b37d02ade133417278cc8eae7f6ffd0ca4d |
利用ca证书,计算
|
1 2 |
[root@k8s-master ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' 5d94c96130fc6e167281a034a2ba2b37d02ade133417278cc8eae7f6ffd0ca4d |
如果想赏钱,可以用微信扫描下面的二维码,一来能刺激我写博客的欲望,二来好维护云主机的费用; 另外再次标注博客原地址 itnotebooks.com 感谢!
