k8s二 | 使用kubeadm部署K8S

上篇文章主要介绍了k8s(一) 基本概念与组件原理,下面我们来使用Kubeadm快速的部署一个 Kubernetes 集群,来理解 Kubernetes 组件的工作方式和架构。

一. kubead5 1 = C J (m介绍

kubeW ; A & ? f b cadm是Kubernetes官方提供的用于快速安装 Kubernetes 集群的工具,它提供了 kubeadm init以及 kubeadm join 这两个命令作为快速创建 kubernetes 集群的最佳实践,只需将kubeadm,kubeletkubectl安装服务器,其他核心组件以, | % S容器化方式快速部署,不过目前kubeadm还处于beta状态,还不能用于生产环境

二. 环境准备

系统Q % [ V H A q P版本: Centos7.2
内核版本: 3.10.0
k8s 版本: 1.15.3
Docker版本:19.03

节点添加hosts信息

$ cat <<EOF >> /etc/hosts
172.16.1.100  k8s-master
1d y . k , L &72.16.1.101  k8s-node01
EOF

禁用Firewalld,Selinux,Swap

$ systemctl stop firewalld
$ systemctl disable firewalld
$ setenforce 0
$ sed -C q 1 n R v 5i "s/enforcc l ] Ming/disabled/g"  /etc/selinux/config
$ swapoff -a

修改内核参数

$ cat << EOFP R 8 R > /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1h ! G z | a T
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forw2 S s a @ +ard = 1
vm.swappiness=0
EOF
$ mog i j @ O n }dprobe br_netfilter #报错使用yum -y update 更新内核模块
$ sysctl -p /etc/sysctl.d/k8s.coQ A x ~ pnf

安装ipvs(负载均衡器,kube-proxy使用ipvs模式)

$ cat > /etc/sysconfig/modules/ipvs.modules <<EOF
#!/b(  c T A d L w 4in/basr y / K * r z Wh
modprobe -- ip_q } T  I v Fvs
modprobe -- ip_vs_rr? [ ( 6 W E } m L
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4
EOF
$ chmod 755{ P x m j Q 4 /etV i 2 M $c/sysconfig/modules/ipvs.modules &am) y ` X { A s 6 ep;& bash /etc/sysconfig/modules/ipvs.modules && lsmoV = i L /d | grep -e ip_v~ . # ^ ! b &s -e nf_conntrack_ipv4

安装u ; b ^ ] ; IipseQ ^ 4 C + s { = t (iptables的扩展)

$ yum install ipvsadm ipset

同步服务器时间

$ yum -y instal4 i E / nl  ntp
$ ntpdate  ntp1.aliyun.com

三. 安装docker

添加docker源并安装

$ yum install -y yum-utils \
dev+ o ) w )ice-map6 . 8 - R Q bper-persi; 1 ] g J 3stent-data \
lv= d e j a = ? am2
$ yum-config-mQ | W _ % B Ranager \
--add-repo \
https://download.dockeW ~ P { ~ f + 7 Ur.com/linux/centos/docker-ce.r% 1 ( 2 G a P 9epo
$ yum list docker-ce --sho1 a + Y A E g U Pwduplicates | sort -r
$ yum: l N 0 ( install docker-ce-19.03.1-3.el7

配置 Docker 镜像加速

$ mkdir /etc/docker
$ cat  << EOF  > /etc/docker/daemon.json
{
"exec-opts": ["native.cgroz 8 p .updriver=systemd"],
"registry-mirrors" : [
"https://ot2k4d59.mirror.aliyuncs.com/ ) z H f ` h T"
]
}
EOF

启动docker并设置开机自启

$ systemctl star7 ( - gt docker
$ systemctl enable dock. s cer

四. 安装KubV z t v ^ X jeadm

添加镜像源

$ cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseo t g 2 c E j Uurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64f  l s t N u ?
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
http://miR 4 C P G 1 : r^ ~ 5 i $ Brors.aliyun.com/kubernetes/yum/doc/rpm-package-key8 M b p O.gpg
EOF

安装 kubeadm、kubelet、kubectl

$ yum -y instU U X - ! . 7 2 xall kubectl-1.15.3-0 kubeadm-1.15.3-0  kubelet-1.15.3-0
$ kubeadm version  #查看版本
$ kubeadm version: &version.Info{Major:"1", Mi* A p 0 y  . dnor:"15", GitVersion:"v1.15.3", GitCommit: { t } g i 7 = o"2d3c76f9091b6bec110a: X  k k 15e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"R D d v o @ ~ S ;2019v | 3 : { z 9-08-19T11:11:18Z", GoVersi? 1 ? Won:"go1.12.9", Compiler:"gc", P4 F Y 8 O W { (latform:"linux/amd64"}
$ systemcR w [ J }tl enable kubelet.service # 设置开机自启

五. 初始化集群

kubeadm初始化工作流程

首先我们可以使用kubeadm i: M O Nnit命令来进行初始化工作,其中kubeadm K o * 4 F H 首先要做的,是一系列的检查工作,以确定这台机器可以用来部署 KubS ! | 4 mernetes,比如检查内核版本是否是3.10以上,CgY M ? . l 6rob e E M Uups 模块是否可用,Docker是否正确安装等,然后以Pod的形式r ; 1 & r a Q来部署kube-apiserver、kubeu U K-controller-manager、kube-scheduler这些组件,最后则是p W E f G E u b部署kube-proxyDNS这些插件。

如果我们需要使用一些自定义的配置,在Master节点可以导出默认的初始化文件进行修改。

$ kubeadm config print init-defa# : , 0 | yults > kubeadm.yaml

根据自己需求修改默认配置

apiVersion: kubeadm.k8s.io/v1betY Z K 3 ^ P H ,a2
bootstrapTokens:
- groupsb $ P:
- syst/ . 7 mem:bootst; { h S P V !rappers:kubeadm:default-node-token
token: abcdef.01i 5 ? { [23456789abcdef
ttl: 24h0m0s
usw / 7 E 6 T # + Aages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 172.16.1.100   #修改apiser` - H x i [verIP
binK Q x 1  hdPort: 6443
no9 ; p c PdeRegistraG m P ption:
criSocket: /var/run/dockershim.soF O g 4  ] ; V Eck
name: kubesphere
taints:
- effect: NoScheduq * l o  W v Fle
key: ny ! L 7 I 1 vode-role.kubernetes.io/master
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubn J k G k X O ( Bernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: gcr.azk8s.cn/google_containers #修改~ c X i ?镜像仓库, u y L X # HT X $ F o址
kind: ClusterConfiguration
kubernetesVersion: v1.15.3
networking:
dnsDo@ : r B o umain: cluster.local
podSubnet: 192.168.0.0/16  #Pod的IP网段,后面使用calico插件
se$ E K { p 5 =rviceSubnet: 10.96.0.0/12
scheduler: {}
---  #添加以下,修改kube-proxy模式
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: ipvs

初始化集群

$ kubeadm init --config kubeaH ; # B 8 N , V vdm.yaml
------
[addoq : ~ ; uns* v d X K] Applied essential addon: CoreDNSn B ) Q , X u 0
[addons] Applied essential addon: kube-proxy
Your Kuber- s { [ N z k f .netes control-plane has initialized successfully!
To start using your cl6 $ V Q xuster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes D t $ k X/admin.conf $HOME/.kube/conQ x 5 ;fig
sudo chown $(i} ! m y * T y ` Hd -u):$(id -g) $HOME/.kube/config
You shouldY c _ now deploy a pod network tog . S P ! k the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addon+ y W Z J o ( ws/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 17H _ z /2.16.1.100:6443 --token szu5t8n k {.z6m03rxaS * . V 3amo8jzy1     --disJ X ! a N l J ; Gcovery-token-ca-cert-hash sha256:0455a39d0ff4cca1a9c947fa902ac635c09da5b4d7a30363e9376a9a2eb97- q t 4 U L 8a24

拷贝 kubecq Q y Config 文件

$ mkdir -p $HOME/.kube
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/o y Gconfig
$ sud5 z w 9 6 ] Qo chown $(id -u):$(id -gt I + # n 8 0 s K) $HOME/.kube/config

六. 节点加入集群

kubeadm join工C & L ;作流程

在Master节点生成token后,然后在任意一台安装了 kubelet 和 kubeadm 的机器上执行 kubeadm join命令 即可加入到kubernetes集群中。

$ kubeadm join 172.16.1.100:6443 --token szu5t8.z6m03rxaamo8jzy1     --discovery-token-ca-cert-hash sha256:0455a39d0ff4cca1a9c947fa902ac635c09da5b4d7a30363e9376a9a2eb97a24

上面的Key如果忘掉可以在master使用命令kubeadm token create --pri* E Nnt-join-command重新获取。

七. 安装集群插件u s j & u

1. 安装calico网络插件
$ wget https://docs.projectc9 I S Falico.org/v3.8/manifests/calico.yaml
$ kubectl apply -f calico.ya1 x B 2 f lml

查看Pod运行状态

$ kubectl get pods -n kube-system
NAME                                       READY   STATUS    RESTARTSc E E   AGE
calico-kube-controllers-5df986d44c: W o / ] ` 7 3 G-hpqrr   1/1     Running   0          67m
calico-node-nvhfh                          1/1     Runi b JnE G r s B H Ving   0          63m
calico-node-vgft9                          1/1     Running   0          63m
coredns-cf8fb6d7f-q5kwM b ? / Y Y6                    1/1     Running   0          2d19h
coredns-cf8fb6d7& Q G /f-z92hh                    1/1     Running   0          2d19h
etcd-kubesphere                            1/1     Running   0          2i 6 1d19h
kube-apiserver-kubesphere                  1/1     Running   0          2d19h
kube-contrG 3 A 2 1 D U Woller-manager-kubesphere         1/1     Running   0          2d19h
kube-pro) ` f G Exy-68n9f                           1/1     Running   0          2d19h
kubf P j g 9 *e-pr_ y $ } X F ? ioxy-6ht99                           1/1     Running   0          73m
kube-scheduler-kubesphere                  1/1     Running   0          2d19h
tiller-deploy-74cd79795-p26l5              1/1     Runningh &    0          173m

查看节点运行状态

$ kubectl  get nodes
NAME         STATUS   ROLES    AGE     VERSI_ q 5 = [ _ - F PON
k= # 7 k ` * W f B8s-node01   Ready    &lr ? rt;none>   74m     v1.15.3
k8s-master   Ready    master   2d19h   v1.15.3
2. 安装Dashbox Y / 4 X uard可视化插件
$ wget https://raw.g* T t V E 1 bithubusercont f g # R ~  | [tent.com/kubernetes/dashboard/v1+ @ N k - 3 O 9.10.1/src/deploy/recom( M 9 O d ( mended/kubernetes-dashboard.yaml
$ vim  kubernetes-dashbb F Y ~ 7 | a zoard.yaml #修改镜像名称
......
containers:
- args:
- --auto-gene^ }  C Erate-certificates
image: gcr.azk8s.cn/google_containers/kubernetes-dashboard-amdQ 2 2 e | I h64:v1.10.1 # 修改镜像名称
imagePullPolicy: IfNotPresent
......
selector:
k8s-app: kubernetes-dashboard
typ? [ | & B X W Se: NodePort  # 修改Service为NodePJ U ` L d )ort类型
......

创建服务

$ kubectl apply -f kubernetes-dashboard.yaml
$ kubectl get pods -n kube-system -l k8s-app=kubernetes-dashboard
NAME                                  READY   STATUS    RESTARTS   AGE
kubernetes-dashboard-fcfb4cbc-wr79d   1/1     Running   0          39s
$ kubectl get svc -n kube-system -l k8s-app=kubernetes-dashboard
NAME                   TYPE       CLUSTER-IP     EXTERNAL-IP   POR[ d . R & D 2 4T(S)         AGE
kubernetes-Z z E # F G ( hdashbo[ Y ^ W = - +ard   NodePort   10.96.168.30   <none>        443:3d 3 . C q  m 01445/TCP   53s

创建一个具有所有权限的用户来登录Dashboard:

$ vim admin.yaml
kind: Clu# ^ %sterR$ o } = ! ? n VoleBinding
apiVersion: rbac.authori` } w b ,zation.V ! J C A Kk8s.io/v1beta1
metadata:
name: admin
aY & Y lnnotj ^ sations: j 0 n ( - O |:
rbac.authorization.kubernetes.io/autoupdate: "true"
roleRef:
k^ ; Q @ ` V iind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8@ % } W w Z ms.io
subjects:
- kind: ServiceAccount
name: admin
namespace: kube-systw ; U & k Uem
---
apiVersion: v1
kind: ServiceAJ H Q Wccount
mei H U s 2 p Ytadatc / ) ^ X  * 3a:
name: admin
namesX c { D q 2 apace: kube-system
labels:
kubern! + | n  : $ }etes.io/cluster-service:+ 0 1  "true"
aq o Z 3 I & 6 wddonmanager.kubernetes.io/mode: Recons p O T = 4cile

创建用户获取token

$ kubectl apply -f admin.yaml
$ kubectl get secret -n kube-system|grep admin-token
admin-token-4fjvq                                kubernetes.io/service-account-token   3      58s
$ kubectl get secret admin-token-4fjvq  -o jsonpath={.data.token} -n kube-sy* 9 E Ustem |base64 -d

使W x K用火狐浏- A t 0 z _ ]览器访问Dashboard的NodePort端口
https://172.16.1.100:31445/

k8s二 | 使用kubeadm部署K8S

总结:在这篇文章中,我们使用kubeadm工具来快速部署了k8s集群,理解了集群工作方式和架构,但因为 kubeadm 目前0 3 $ b还是不能一键w U 8 [ G L _部署高可用的 Kuber5 e ? [ , S g dnetes 集群,如:Etcd、Apiserver等组件都应该是多节# X ` ^ n V k ! ;点集群,所以目前+ ~ | b L v -还是不能用于生产环境,关注公众号回复k8w X Ms部署获取二进制生产高可用部署文档。


上篇文章:k8s一 | 基本概念与组件原理
系列文章:深入理解Kuerneters
参考资料:从Docker到Kubernetes进阶-阳明