在Linux服务器,一键搭建1.21.0最新版K8s服务【脚本篇】
前言
好久没有写博客了,本文主要是对网上文章的总结篇,主要是将安装和运行代码做了一次真机实验,亲测可用。文章内包含的脚本和代码,多来自于网络,也有我自己的调整和配置,文章末尾对参考的文献做了列举,方便大家参考。
过程很简单,一路next往下看和操作即可,文章不对脚本和代码做原理解释,某些注意点加了红色标注,部分脚本有注释,可以自行参考,以后有机会可以视频讲解。
核心步骤
因为是next的方式,所以本章节主要是操作步骤,步骤中涉及到的代码或者脚本,可以在下文中找到,比如:附录代码一、附录代码二等等,因为脚本实在太长,不太方便放到步骤里。
1、配置 node01 主节点(2个文件,1个结果);
在root目录下拷贝k8s脚本(附录代码一:kubernetes_node01.sh)和flannel网络(附录代码二:kube-flannel.yml)的文件;
然后给脚本文件赋权限:chmod +x kubernetes_node01.sh
最后执行脚本:./kubernetes_node01.sh
ps:1、sh脚本中,需要配置节点,是内网的。
2、多个节点之间要保证能ping通;
3、中间可能需要自己来配合做些操作,比如输入:y,来做确认等等。
最后,可以在当前文件夹下,看到一个key.txt的文件,里边有安装的结果数据或者密钥等,可查看附录代码三:key.txt,这是我安装的结果,里边有join主节点的配置语句。
查看所有的nodes和pods:
[root@node01 ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION node01 Ready control-plane,master 26h v1.21.0
所有的pods:
[root@node01 ~]# kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-system coredns-7ff77c879f-6m6fl 1/1 Running 0 25m kube-system coredns-7ff77c879f-dkd56 1/1 Running 0 25m kube-system etcd-node01 1/1 Running 0 26m kube-system kube-apiserver-node01 1/1 Running 0 26m kube-system kube-controller-manager-node01 1/1 Running 0 26m kube-system kube-flannel-ds-amd64-sdv2h 1/1 Running 0 25m kube-system kube-proxy-vgf4r 1/1 Running 0 25m kube-system kube-scheduler-node01 1/1 Running 0 26m
如果都启动,都READY了,表示安装成功。
2、配置dashboard仪表盘(2个文件)
上面安装好了kubectl、kubeadm、kubelet后,我们可以通过客户端来连接,这里安利下k8s的客户端:Lens,很香。
如果要使用客户端连接,就需要获取集群的上下文配置信息,可以执行以下命令:
kubectl config view –minify –raw
输出的结果类似于:
[root@node01 ~]# kubectl config view --minify --raw apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTa3Foa2XcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EVXlOakE0TVRjMU9Wb1hEVE14TURVeU5EQTRNVGMxT1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlsCjRTSktsSnI1ZGdENUJZWlNvcWd3UWlsNDM4K2h2RkdCK0JwT2dXU3JJOUdTcjZRRzVEMllYSnU4bHE5a1IxMXEKME9ZcFpmSGJoOXJlZkZETThmNGh3TjFpSlRtN0pxVEc2UlFMc1BIZWdjdE1vQ2VyWkhzYURJNHpuOUxOdTEzcgpIbFhwSHFuRjY1bnpnL0pQcjVHclVPTGpqTis0aXdyaXE0cmFiZGg5aWR1aDlRaWFzTDNmaEhXeUYvNVJIbTdMCitvdFpkM2pJU2dJZDJxSkg1R2gwK3pzbSt0MHE2WHpPbjljWkpaWnUxWEhkRTVUMUI2aXdzS1B1cG9rYVB2VHQKTW9NeWc2SkM5SVVyalp6SVZEQWg5TU1Ua0NLckJIalBWeXY0L2xkdWxiOUpMZS95TTJidVhVWTVsV0VESm1hMQpjS0xlTEVrckYvelIrS1R4c3lzQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDR2NQdk5GZ2VHUjNVbkZsV1M1Y3JZNVRtQUIKQ2dPdVBmVU5ZMFRLNDU1QytGVzVHaTBkeG1JL3NVM2cwVXVoN3c0dWlTQStZQksvUmh0TE1EZnNmMFhRc3FQTwpIeEduWWYvM0xDR3dpVFBrSnFzS2ZodUJlS0RVZ1lsejhOcWJlMDdaMkJlTTVNbFdsN2VmTVNoOEpqRXBzUjBHCnArYmdzdVViQ0hzQ1BSS0ErcW13dFU0UkUvTlMvYzh6Q2xPN3JpNkkzSE1qdTJQOWRTSit1aDY2OFNhSVN0MDkKMG1XWGdoaHlqdmRicnJBTnBucEh0TWNwSGRYM2lRS2g1RVczVjk3VjVpbEt6Yjl3TmJ1QTAwTzVUcEd1eGQ5RApnYUdTajBoMVBOSE9yaFVQRnZQa1ZoS1VaWjZ2cnNWTUsxR3N1akNObWZlZEhWVDlOR0kzNy9aYVMzWT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= server: https://172.17.10.4:6443 #注意这里以后是kubectl proxy的地址,应该是你的ip地址:8001 name: kubernetes contexts: - context: cluster: kubernetes user: kubernetes-admin name: kubernetes-admin@kubernetes current-context: kubernetes-admin@kubernetes kind: Config preferences: {} users: - name: kubernetes-admin user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1J4akNDQWRxZ0F3SUJBZ0lJU3FXNFdBdVVE13RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBMU1qWXdPREUzTlRsYUZ3MHlNakExTWpZd09ERTRNREphTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTNtTGRIM3ZQTnZxN2pjbzYKL1lOU0RkMlJ0YVlWWGIwazdlRXpDVlFWL2dFc2M4bEpiRHZveTcxQUJpa09IMjF5dU4rN00yNmNxTW5KSUgvNQpOcUtKeFRNMVliZHJGTzh2RVJDNE5hMWpRSUppdnJBbVBLeUdzbEpTL2h0dXVlQzZOazRlWmdLNDhCOVJSazNtCmxHclBYZnFvaHo5ckkwQzFvaHA4YnErVGNxYkRvNTNjc1ZMU1puNFFGWHRXMjZJbHg1V3Rhc0JGZVMyWVgvamEKQklld1FWaTMxbmthblFuWVMyekg4aVhiWktXZkc4eDkyR3hrSDhRYWV1ZmlxR2VCYlRuc3UxUlh4TnByVEZqcQpaeW9rUm5yWFEzSU5Fd2dRRzNzUndQaWZxcWtxQTZ1NlQxS21hbzFRelF6bW5XNTdCUG5Jd1EvVjFURU1iS2tJCkdvU0dSUUlEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHbTBCSVhKMVBnTDh4bDVRZ2UvNjlaemd6N1d2TythZ2JZUgowdVB2blhSTU1kNGk1akV1NlQzWDh3Zm4zVGowR004VDlsZERLa2ZKUGFIcnRuRVFIOFFkeHBaek9HeXNjSEpLCmRYN3Uyb2d1dTMxUy9ZblltR21vMk5VS1M3T2hiTWE3WEw1bVpTTGV4RWp0eWNBdkpDa2Evdndqa0hFTFJUMzYKZ3hGWnhBQWRqWFVOd011TWdiV25IT0dOK3dIcUxDSjZKa3NkYU9yZTJTRHRCUWZXRTZ5RjJEVnk4akZvUDVlWQpFcDZuVzVia1NsY3NIR2NhamJPcXNNbSs2bEk5L3RidDZyMno4U3VHR1BVenNzbUFqMHJIbDFvTHhVYjFkWjhCCjF2ZTBYVWZPNmhsSDhWaWxqYVFISHBnQU5NV05KN3kvR0VVYmMzSWZCVGZ6b05UWHJCRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVS0tLQpNSUlFcEFJQkFBS0NBUUVBM21MZEgzdlBOdnE3avNi9ZTlNEZDJSdGFZVlhiMGs3ZUV6Q1ZRVi9nRXNjOGxKCmJEdm95NzFBQmlrT0gyMXl1Tis3TTI2Y3FNbkpJSC81TnFLSnhUTTFZYmRyRk84dkVSQzROYTFqUUlKaXZyQW0KUEt5R3NsSlMvaHR1dWVDNk5rNGVaZ0s0OEI5UlJrM21sR3JQWGZxb2h6OXJJMEMxb2hwOGJxK1RjcWJEbzUzYwpzVkxTWm40UUZYdFcyNklseDVXdGFzQkZlUzJZWC9qYUJJZXdRVmkzMW5rYW5RbllTMnpIOGlYYlpLV2ZHOHg5CjJHeGtIOFFhZXVmaXFHZUJiVG5zdTFSWHhOcHJURmpxWnlva1JuclhRM0lORXdnUUczc1J3UGlmcXFrcUE2dTYKVDFLbWFvMVF6UXptblc1N0JQbkl3US9WMVRFTWJLa0lHb1NHUlFJREFRQUJBb0lCQUVnN3BvVSthc3o1M2dldApJMElLOEpFT1lmQzFsSVVSRmJpcWlEQkVmcXcxWjJIb2hJL0NXZGdyaldzeTFLS0NvMXZIVi8vWnNzcmtXQTdWClluWkxqeUpkZ3I1Tm5GdDlZVFZTei9LbmNmQ1hLVW0wMzRhZnAxU3Voc1NBMXBOTG1sQmZTV0pyQ2ZUOHh5SmwKMVRwcUF4Y01mc2NIWTE1YysySSs1aUh4cDV2NlVjNEtQZ0R6bGZCbkVTZ3dhNlVOVURZRkVmN2RNMXdONlhtZgpPMllNcDIvWHVacWFwU3RRRHRLWXVvT2xsWStsRXpQeUpQQSsvS0tnN3M5VGpzSllUZTJyN1Y0S2psVUpLQ0tqCjhsNnVoUWhNNkRuWnYvVVZScEtZM3RlSlJkRDgxZ2RBQ1FPTUh0aktrb0drbEtDeS96Z29oak9FZlVFTWJqNloKY2dRT0VFRUNnWUVBOU1KSytZUTg3YURqSTMrOWVSd0VxSmQ2WjFXbnZTUHZld21iOXpUSVdkYjUrU1RGSi8vZwpPS1lFdHNjN1hRc05wV3hsdjhncnc4azhKRzFxcG1EVHFaa1Vna3NGaXNaMGxGYVk1TUlKOUh3K00wMzJmN0N0CkxaQ2oxSTdqNWpsNWt5dy9qYVB3amJtWG1zY280NUNxZFl4YUhoMjJPbE1pdVVkNTU2SVJhdFVDZ1lFQTZKbUcKKytsWTZxRDJKY2N2cGJhUFhnQUwrZklpTDlSblQwbVZKTmZ5MXU3RGdhSXl3UHVOaVBUOUhoRXc0VU1WeTE5UQpzeS9yQ2JFQ1A5MnJQeEloOXVlTHlCazNNR0hyaTBVZkdiV0V4czNiZ3QydTUvZUpSaGlaYm5sSlJqZDlIeFdZCnljaWhER2JRVVhoVWhtaGxzSUU1dDRGcWdjUUN6L0NmSklxVmhiRUNnWUVBcnVxN2toNURQTCtpRkJpU1hCNzkKNVU1OEY2VkxQd3lUZFNhazQ4SkEvSk42Q2VlUlRzaTZnVUdFVk91RkxUVmRCeiswWjU2eVNEVmtXZFFvUjhjaQovUzE5VHJBMndicWFUZmlsUTdhNFRwVU1EclpFMTNSNER2d3pXUkRWSmc4bEoxeVQvckdPbEhweU1oYnF6ZGJ4Ck94aVd2cmNWS0JHSjIwZU5nMUI3aWhFQ2dZRUFuUUcxT2lwRFdPMlorZHBBY1cyUHpQWGZIN0t3SFBVVlgxSGUKR09ha0J5MVlUeEw3aTRUQi95YlFEUkd4bXZ5N28zSU5lVWJwTXJ1SE56RWNQUkN5V0lYbnR3UStXcXhlWUw0aAp4aXJmRzRzdGwyS29nL0IxZXhsenlEeWFsNGt4TG1CWHFDMkRlR21XU01nZTFqTjJJUFM1endMT3NCVnRpSXQyCkFTYUMwNkVDZ1lCeGNBaFRkVG9pWGhkWnNmWCtaMC9mMXJ5ait3WWp2VnlUU0Z2Q0JZVDFnYllVM0VZOHFCTEkKMWZLaCtJeDhuS0U3bzJGMEFzMTVJN1ZNeks0OFF5NnhjbkExa0RPUGFxOXYydTBlUzJyemJhSWhudmZLTFpBZgpxa3NtaHl0bWVCMUxPRGZQZjdFRVgvNWNCOWlkZ0QwVGlzNHMxL1NCWkhaRWJuMVhCd0J1WEE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
如果不用客户端,那就需要安装仪表盘了。
1、Linux根目录拷贝文件,附录代码四:recommended.yaml(安装看板),附录代码五:dashboard-svc-account.yaml(配置管理员账户)
2、执行命令:
sed -i \'/targetPort: 8443/a\ \ \ \ \ \ nodePort: 30001\n\ \ type: NodePort\' recommended.yaml
3、启动仪表盘服务:
kubectl apply -f recommended.yaml
4、启动配置账户:
kubectl apply -f dashboard-svc-account.yaml
都成功后,会生成一个token字符串,用来登录web端的令牌的,如果没有拷贝或者丢失了也不怕,可以使用命令查看:
kubectl describe secrets -n kube-system `kubectl get secret -n kube-system | grep admin | awk \'{print $1}\'` | grep \'^token\'|awk \'{print $2}\'
token就是类似这种:
eyJhbGciOiJSUzI1NiIsImtpZCI6Ikl5SE00cXFZR1V2cWstQURVcGlUOGk4cTBYekZMV0VmNDEwRy14UTd1d2sifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tY3JnejYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWliwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMjYwMGQ0ZjctM2ZhOS00ODIwLWFmMmUtZTJlZDMxYWMyYWFhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.BBtdG-S2kHEwRbWIAf6DiUgC3ILUOStPATyWfvxcQs5VJBtLRyMGqQ-AfkUoVLuhZdUv-CGoEJ1OYA00M6MwoehDdkhLFbXF7Xx1IPyhFTHxZ_oXHBPyjEREkTEerarZnvgt0ufU4g_Eqn91jdHet73itz-0abgmLMPkRl5YYjlh36Ivwq9IjKgujLwTNisUFckLuHOscHtQIrjIvAZlWTRh_awMsDHvemAKG_YIjMbyQnXi6VfN3rTW869DA0XAGOF2t7cWBtMmHvmLxVYqpOauUzwXXeYbO9eP0_d9JtVwKv6R0Q7sexRFZ-iTdZBOJDujFI3UT2jsqgVdbagA
这里再检查下:
查看所有的nodes和pods:
[root@node01 ~]# kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-system coredns-7ff77c879f-6m6fl 1/1 Running 0 25m kube-system coredns-7ff77c879f-dkd56 1/1 Running 0 25m kube-system etcd-node01 1/1 Running 0 26m kube-system kube-apiserver-node01 1/1 Running 0 26m kube-system kube-controller-manager-node01 1/1 Running 0 26m kube-system kube-flannel-ds-amd64-sdv2h 1/1 Running 0 25m kube-system kube-proxy-vgf4r 1/1 Running 0 25m kube-system kube-scheduler-node01 1/1 Running 0 26m kubernetes-dashboard dashboard-metrics-scraper-78f5d9f487-ldswx 1/1 Running 0 12m kubernetes-dashboard kubernetes-dashboard-577bd97bc-szvwt 1/1 Running 0 12m
多了kubernetes-dashboard命名空间下的两个pod。
3、配置 node02 子节点(1个文件)
如果你没有多余的服务器,也可以在master节点做自己的pod的,需要开启下,命令将 master 标记为可调度:
sudo kubectl taint nodes --all node-role.kubernetes.io/masteflr-
如果要配置多个子节点,那就仿照主节点来继续写sh脚本吧(附录代码六:kubernetes_node02.sh),步骤和主节点一致:
1、拷贝到子节点服务器;
2、赋权限,执行文件:./kubernetes_node02.sh
3、这里不用flannel配置;
4、安装完成后,可以join到主节点,配置文件在主节点的key.txt文件里,如果你安装成功了的话;
kubeadm join 172.17.10.4:6443 --token q3uu1o.4rdfkcyzxjhawvk1 \ --discovery-token-ca-cert-hash sha256:a755d8f56733ba8f9d1951298b200202fce7b84389954bf7a38558fa6ce2a9c9
如果一切正常,可以去主节点查看所有的nodes:
NAME STATUS ROLES AGE VERSION node01 Ready control-plane,master 26h v1.21.0 node02 Ready <none> 25h v1.21.0
表示我们的子节点已经配置完成。
4、配置ASP.Net Core服务
这里的Deployment+Service的写法比较简单,直接贴出来,就不做过多的解释了。
apiVersion: apps/v1 kind: Deployment metadata: labels: app: laozhang-op2 name: laozhang-op2 spec: selector: matchLabels: app: laozhang-op2 replicas: 2 template: metadata: labels: app: laozhang-op2 spec: containers: - name: laozhang-op2 image: laozhangisphi/apkimg315 imagePullPolicy: IfNotPresent #pull镜像时机, --- apiVersion: v1 kind: Service metadata: name: laozhang-nodeport-op2 spec: type: NodePort ports: - name: default protocol: TCP port: 8081 targetPort: 8081 nodePort: 30099 selector: app: laozhang-op2
---
apiVersion: v1
kind: Service
metadata:
name: laozhang-cluster-svc
spec:
selector:
app: laozhang-op2
ports:
- protocol: TCP
port: 8081
targetPort: 8081
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-ingress
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
– host: abctest.neters.club
http:
paths:
– path: /
pathType: ImplementationSpecific
backend:
serviceName: tomcat-svc
servicePort: 8081
关于简历service有两种方式,上边的这种是nodePort的方式——laozhang-nodeport-op2,直接暴漏端口到公网,
不过平时使用更多的是Ingress的方式,对应的service也都是使用集群的方式,也就是下边那种——laozhang-cluster-svc,官方默认的就是集群的方式,
那使用ingress,就先需要配置ingress的服务。
5、配置Ingress-nginx(1个文件)
在根目录拷贝文件,附录代码七:mandatory.yaml,配置Ingress-Nginx服务,
这里需要注意下,如果服务器之前已经配置过nginx,需要在mandatory.yaml文件中,修改http-port输出端口,详细内容见下面的代码,有注释。
直接执行yaml:
kubectl apply -f mandatory.yaml
如果没有报错,可以查看所有的pods:
[root@node01 ~]# kubectl get pods -A NAMESPACE NAME READY STATUS RESTARTS AGE default laozhang-op2-5cf487b57f-pdvfg 1/1 Running 0 4h29m default laozhang-op2-5cf487b57f-vtgwc 1/1 Running 0 4h29m ingress-nginx nginx-ingress-controller-557475687f-rfl98 1/1 Running 0 122m kube-system coredns-7ff77c879f-gj4sl 1/1 Running 0 26h kube-system coredns-7ff77c879f-mqp2q 1/1 Running 0 26h kube-system etcd-node01 1/1 Running 0 26h kube-system kube-apiserver-node01 1/1 Running 0 26h kube-system kube-controller-manager-node01 1/1 Running 0 26h kube-system kube-flannel-ds-amd64-nmnj2 1/1 Running 0 26h kube-system kube-proxy-wcjb8 1/1 Running 0 26h kube-system kube-scheduler-node01 1/1 Running 2 26h kubernetes-dashboard dashboard-metrics-scraper-78f5d9f487-qp2fw 1/1 Running 0 26h kubernetes-dashboard kubernetes-dashboard-577bd97bc-2tsj7 1/1 Running 0 26h
如果和上面一样,那恭喜,一切配置就完成了。
附录代码一:kubernetes_node01.sh
#!/bin/bash ############## ##主节点## ############## #### 第一部分,环境初始化 #### #k8s版本 version=v1.21.0 kubelet=kubelet-1.21.0-0.x86_64 kubeadm=kubeadm-1.21.0-0.x86_64 kubectl=kubectl-1.21.0-0.x86_64 #集群加入方式 key=/root/key.txt #部署flannel网络 flannel=/root/kube-flannel.yml #安装必要依赖 yum -y install vim wget git cmake make gcc gcc-c++ net-tools lrzsz #### 第二部分,节点配置 #### #第一步:主机解析,免密登录 #内网ip,配置多节点,也可以不配置,后期通过join的方式 node01=172.21.10.4 #node02=192.168.10.7 #node03=192.168.1.30 hostnamectl set-hostname node01 echo \'172.21.10.4 node01 #192.168.10.7 node02 #192.168.1.30 node03\' >> /etc/hosts ssh-keygen ssh-copy-id -i $node01 #ssh-copy-id -i $node02 #ssh-copy-id -i $node03 #scp /etc/hosts node02:/etc/hosts #scp /etc/hosts node03:/etc/hosts
#第二步:时间同步
systemctl start chronyd
systemctl enable chronyd #第三步:关闭防火墙和急用iptables systemctl stop firewalld systemctl disable firewalld
#systemctl stop iptables
#systemctl disable iptables #第四步:禁用swap分区 swapoff -a sed -i \'s/.*swap.*/#&/\' /etc/fstab #第五步:关闭沙盒,禁用selinux setenforce 0 sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config #第六步:打开ipv6 modprobe br_netfilter modprobe ip_vs_rr
#第七步:修改Linux的内核参数 cat <<EOF > /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 vm.swappiness = 0 EOF sysctl -p /etc/sysctl.d/k8s.conf ls /proc/sys/net/bridge #### 第三部分,参数/源处理 #### #安装epel源 yum install -y epel-release yum install -y yum-utils device-mapper-persistent-data lvm2 net-tools conntrack-tools wget vim ntpdate libseccomp libtool-ltdl #时区校准 systemctl enable ntpdate.service echo \'*/30 * * * * /usr/sbin/ntpdate time7.aliyun.com >/dev/null 2>&1\' > /tmp/crontab2.tmp crontab /tmp/crontab2.tmp systemctl start ntpdate.service #添加参数 echo "* soft nofile 65536" >> /etc/security/limits.conf echo "* hard nofile 65536" >> /etc/security/limits.conf echo "* soft nproc 65536" >> /etc/security/limits.conf echo "* hard nproc 65536" >> /etc/security/limits.conf echo "* soft memlock unlimited" >> /etc/security/limits.conf echo "* hard memlock unlimited" >> /etc/security/limits.conf #添加kubernetes的epel源 echo \'[kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg\' > /etc/yum.repos.d/kubernetes.repo #下载 sudo yum-config-manager \ --add-repo \ https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo yum makecache fast #### 第四部分,开始安装 #### yum -y install docker-ce yum install --enablerepo="kubernetes" $kubelet $kubeadm $kubectl systemctl enable kubelet.service && systemctl start kubelet.service systemctl start docker.service && systemctl enable docker.service #安装tab快捷键 yum -y install bash-completion && source /usr/share/bash-completion/bash_completion && source <(kubectl completion bash) && echo "source <(kubectl completion bash)" >> ~/.bashrc #创建集群 kubeadm init --apiserver-advertise-address $node01 --kubernetes-version $version --pod-network-cidr=10.244.0.0/16 >> $key 2>&1 export KUBECONFIG=/etc/kubernetes/admin.conf
#kubectl 配置文件 mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config docker pull quay.io/coreos/flannel:v0.12.0-amd64
#安装flannel网络,节点之前通讯 kubectl apply -f $flannel echo \'请手动查看$key文件的密钥将其他节点接入集群\'
PS:如果v1.18版本,可以指定
--image-repository registry.aliyuncs.com/google_containers
如果报错的话,就去掉这个参数吧。
错误内容比如:
[ERROR ImagePull]: failed to pull image registry.aliyuncs.com/google_containers/coredns/coredns:v1.8.0: output: Error response from daemon: pull access denied for registry.aliyuncs.com/google_containers/coredns/coredns, repository does not exist or may require ‘docker login’: denied: requested access to the resource is denied
附录代码二:kube-flannel.yml
############## ##flannel网络## ############## --- apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: psp.flannel.unprivileged annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default spec: privileged: false volumes: - configMap - secret - emptyDir - hostPath allowedHostPaths: - pathPrefix: "/etc/cni/net.d" - pathPrefix: "/etc/kube-flannel" - pathPrefix: "/run/flannel" readOnlyRootFilesystem: false # Users and groups runAsUser: rule: RunAsAny supplementalGroups: rule: RunAsAny fsGroup: rule: RunAsAny # Privilege Escalation allowPrivilegeEscalation: false defaultAllowPrivilegeEscalation: false # Capabilities allowedCapabilities: [\'NET_ADMIN\'] defaultAddCapabilities: [] requiredDropCapabilities: [] # Host namespaces hostPID: false hostIPC: false hostNetwork: true hostPorts: - min: 0 max: 65535 # SELinux seLinux: # SELinux is unused in CaaSP rule: \'RunAsAny\' --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: flannel rules: - apiGroups: [\'extensions\'] resources: [\'podsecuritypolicies\'] verbs: [\'use\'] resourceNames: [\'psp.flannel.unprivileged\'] - apiGroups: - "" resources: - pods verbs: - get - apiGroups: - "" resources: - nodes verbs: - list - watch - apiGroups: - "" resources: - nodes/status verbs: - patch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: flannel roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: flannel subjects: - kind: ServiceAccount name: flannel namespace: kube-system --- apiVersion: v1 kind: ServiceAccount metadata: name: flannel namespace: kube-system --- kind: ConfigMap apiVersion: v1 metadata: name: kube-flannel-cfg namespace: kube-system labels: tier: node app: flannel data: cni-conf.json: | { "name": "cbr0", "cniVersion": "0.3.1", "plugins": [ { "type": "flannel", "delegate": { "hairpinMode": true, "isDefaultGateway": true } }, { "type": "portmap", "capabilities": { "portMappings": true } } ] } net-conf.json: | { "Network": "10.244.0.0/16", "Backend": { "Type": "vxlan" } } --- apiVersion: apps/v1 kind: DaemonSet metadata: name: kube-flannel-ds-amd64 namespace: kube-system labels: tier: node app: flannel spec: selector: matchLabels: app: flannel template: metadata: labels: tier: node app: flannel spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux - key: kubernetes.io/arch operator: In values: - amd64 hostNetwork: true tolerations: - operator: Exists effect: NoSchedule serviceAccountName: flannel initContainers: - name: install-cni image: quay.io/coreos/flannel:v0.12.0-amd64 command: - cp args: - -f - /etc/kube-flannel/cni-conf.json - /etc/cni/net.d/10-flannel.conflist volumeMounts: - name: cni mountPath: /etc/cni/net.d - name: flannel-cfg mountPath: /etc/kube-flannel/ containers: - name: kube-flannel image: quay.io/coreos/flannel:v0.12.0-amd64 command: - /opt/bin/flanneld args: - --ip-masq - --kube-subnet-mgr resources: requests: cpu: "100m" memory: "50Mi" limits: cpu: "100m" memory: "50Mi" securityContext: privileged: false capabilities: add: ["NET_ADMIN"] env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: run mountPath: /run/flannel - name: flannel-cfg mountPath: /etc/kube-flannel/ volumes: - name: run hostPath: path: /run/flannel - name: cni hostPath: path: /etc/cni/net.d - name: flannel-cfg configMap: name: kube-flannel-cfg --- apiVersion: apps/v1 kind: DaemonSet metadata: name: kube-flannel-ds-arm64 namespace: kube-system labels: tier: node app: flannel spec: selector: matchLabels: app: flannel template: metadata: labels: tier: node app: flannel spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux - key: kubernetes.io/arch operator: In values: - arm64 hostNetwork: true tolerations: - operator: Exists effect: NoSchedule serviceAccountName: flannel initContainers: - name: install-cni image: quay.io/coreos/flannel:v0.12.0-arm64 command: - cp args: - -f - /etc/kube-flannel/cni-conf.json - /etc/cni/net.d/10-flannel.conflist volumeMounts: - name: cni mountPath: /etc/cni/net.d - name: flannel-cfg mountPath: /etc/kube-flannel/ containers: - name: kube-flannel image: quay.io/coreos/flannel:v0.12.0-arm64 command: - /opt/bin/flanneld args: - --ip-masq - --kube-subnet-mgr resources: requests: cpu: "100m" memory: "50Mi" limits: cpu: "100m" memory: "50Mi" securityContext: privileged: false capabilities: add: ["NET_ADMIN"] env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: run mountPath: /run/flannel - name: flannel-cfg mountPath: /etc/kube-flannel/ volumes: - name: run hostPath: path: /run/flannel - name: cni hostPath: path: /etc/cni/net.d - name: flannel-cfg configMap: name: kube-flannel-cfg --- apiVersion: apps/v1 kind: DaemonSet metadata: name: kube-flannel-ds-arm namespace: kube-system labels: tier: node app: flannel spec: selector: matchLabels: app: flannel template: metadata: labels: tier: node app: flannel spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux - key: kubernetes.io/arch operator: In values: - arm hostNetwork: true tolerations: - operator: Exists effect: NoSchedule serviceAccountName: flannel initContainers: - name: install-cni image: quay.io/coreos/flannel:v0.12.0-arm command: - cp args: - -f - /etc/kube-flannel/cni-conf.json - /etc/cni/net.d/10-flannel.conflist volumeMounts: - name: cni mountPath: /etc/cni/net.d - name: flannel-cfg mountPath: /etc/kube-flannel/ containers: - name: kube-flannel image: quay.io/coreos/flannel:v0.12.0-arm command: - /opt/bin/flanneld args: - --ip-masq - --kube-subnet-mgr resources: requests: cpu: "100m" memory: "50Mi" limits: cpu: "100m" memory: "50Mi" securityContext: privileged: false capabilities: add: ["NET_ADMIN"] env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: run mountPath: /run/flannel - name: flannel-cfg mountPath: /etc/kube-flannel/ volumes: - name: run hostPath: path: /run/flannel - name: cni hostPath: path: /etc/cni/net.d - name: flannel-cfg configMap: name: kube-flannel-cfg --- apiVersion: apps/v1 kind: DaemonSet metadata: name: kube-flannel-ds-ppc64le namespace: kube-system labels: tier: node app: flannel spec: selector: matchLabels: app: flannel template: metadata: labels: tier: node app: flannel spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux - key: kubernetes.io/arch operator: In values: - ppc64le hostNetwork: true tolerations: - operator: Exists effect: NoSchedule serviceAccountName: flannel initContainers: - name: install-cni image: quay.io/coreos/flannel:v0.12.0-ppc64le command: - cp args: - -f - /etc/kube-flannel/cni-conf.json - /etc/cni/net.d/10-flannel.conflist volumeMounts: - name: cni mountPath: /etc/cni/net.d - name: flannel-cfg mountPath: /etc/kube-flannel/ containers: - name: kube-flannel image: quay.io/coreos/flannel:v0.12.0-ppc64le command: - /opt/bin/flanneld args: - --ip-masq - --kube-subnet-mgr resources: requests: cpu: "100m" memory: "50Mi" limits: cpu: "100m" memory: "50Mi" securityContext: privileged: false capabilities: add: ["NET_ADMIN"] env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: run mountPath: /run/flannel - name: flannel-cfg mountPath: /etc/kube-flannel/ volumes: - name: run hostPath: path: /run/flannel - name: cni hostPath: path: /etc/cni/net.d - name: flannel-cfg configMap: name: kube-flannel-cfg --- apiVersion: apps/v1 kind: DaemonSet metadata: name: kube-flannel-ds-s390x namespace: kube-system labels: tier: node app: flannel spec: selector: matchLabels: app: flannel template: metadata: labels: tier: node app: flannel spec: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux - key: kubernetes.io/arch operator: In values: - s390x hostNetwork: true tolerations: - operator: Exists effect: NoSchedule serviceAccountName: flannel initContainers: - name: install-cni image: quay.io/coreos/flannel:v0.12.0-s390x command: - cp args: - -f - /etc/kube-flannel/cni-conf.json - /etc/cni/net.d/10-flannel.conflist volumeMounts: - name: cni mountPath: /etc/cni/net.d - name: flannel-cfg mountPath: /etc/kube-flannel/ containers: - name: kube-flannel image: quay.io/coreos/flannel:v0.12.0-s390x command: - /opt/bin/flanneld args: - --ip-masq - --kube-subnet-mgr resources: requests: cpu: "100m" memory: "50Mi" limits: cpu: "100m" memory: "50Mi" securityContext: privileged: false capabilities: add: ["NET_ADMIN"] env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: run mountPath: /run/flannel - name: flannel-cfg mountPath: /etc/kube-flannel/ volumes: - name: run hostPath: path: /run/flannel - name: cni hostPath: path: /etc/cni/net.d - name: flannel-cfg configMap: name: kube-flannel-cfg
附录代码三:key.txt
W0526 16:17:20.680490 13760 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io] [init] Using Kubernetes version: v1.21.0 [preflight] Running pre-flight checks [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/ [preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using \'kubeadm config images pull\' [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Starting the kubelet [certs] Using certificateDir folder "/etc/kubernetes/pki" [certs] Generating "ca" certificate and key [certs] Generating "apiserver" certificate and key [certs] apiserver serving cert is signed for DNS names [node01 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 172.17.10.4] [certs] Generating "apiserver-kubelet-client" certificate and key [certs] Generating "front-proxy-ca" certificate and key [certs] Generating "front-proxy-client" certificate and key [certs] Generating "etcd/ca" certificate and key [certs] Generating "etcd/server" certificate and key [certs] etcd/server serving cert is signed for DNS names [node01 localhost] and IPs [172.17.10.4 127.0.0.1 ::1] [certs] Generating "etcd/peer" certificate and key [certs] etcd/peer serving cert is signed for DNS names [node01 localhost] and IPs [172.17.10.4 127.0.0.1 ::1] [certs] Generating "etcd/healthcheck-client" certificate and key [certs] Generating "apiserver-etcd-client" certificate and key [certs] Generating "sa" key and public key [kubeconfig] Using kubeconfig folder "/etc/kubernetes" [kubeconfig] Writing "admin.conf" kubeconfig file [kubeconfig] Writing "kubelet.conf" kubeconfig file [kubeconfig] Writing "controller-manager.conf" kubeconfig file [kubeconfig] Writing "scheduler.conf" kubeconfig file [control-plane] Using manifest folder "/etc/kubernetes/manifests" [control-plane] Creating static Pod manifest for "kube-apiserver" [control-plane] Creating static Pod manifest for "kube-controller-manager" W0526 16:18:02.560249 13760 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC" [control-plane] Creating static Pod manifest for "kube-scheduler" W0526 16:18:02.561130 13760 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC" [etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests" [wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s [apiclient] All control plane components are healthy after 26.504466 seconds [upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace [kubelet] Creating a ConfigMap "kubelet-config-1.21" in namespace kube-system with the configuration for the kubelets in the cluster [upload-certs] Skipping phase. Please see --upload-certs [mark-control-plane] Marking the node node01 as control-plane by adding the label "node-role.kubernetes.io/master=\'\'" [mark-control-plane] Marking the node node01 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule] [bootstrap-token] Using token: q3uu1o.4rdfkcyzxjhawvk1 [bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials [bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token [bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster [bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace [kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key [addons] Applied essential addon: CoreDNS [addons] Applied essential addon: kube-proxy Your Kubernetes control-plane has initialized successfully! To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config You should now deploy a pod network to the cluster. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/ Then you can join any number of worker nodes by running the following on each as root: kubeadm join 172.17.10.4:6443 --token q3uu1o.4rdfkcyzxjhawvk1 \ --discovery-token-ca-cert-hash sha256:a755d8f56733ba8f9d1951298b200202fce7b84389954bf7a38558fa6ce2a9c9
附录代码四:recommended.yaml
# Copyright 2017 The Kubernetes Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ############## ##安装dashboard## ############## apiVersion: v1 kind: Namespace metadata: name: kubernetes-dashboard --- apiVersion: v1 kind: ServiceAccount metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard --- kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard spec: ports: - port: 443 targetPort: 8443 selector: k8s-app: kubernetes-dashboard --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-certs namespace: kubernetes-dashboard type: Opaque --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-csrf namespace: kubernetes-dashboard type: Opaque data: csrf: "" --- apiVersion: v1 kind: Secret metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-key-holder namespace: kubernetes-dashboard type: Opaque --- kind: ConfigMap apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard-settings namespace: kubernetes-dashboard --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard rules: # Allow Dashboard to get, update and delete Dashboard exclusive secrets. - apiGroups: [""] resources: ["secrets"] resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] verbs: ["get", "update", "delete"] # Allow Dashboard to get and update \'kubernetes-dashboard-settings\' config map. - apiGroups: [""] resources: ["configmaps"] resourceNames: ["kubernetes-dashboard-settings"] verbs: ["get", "update"] # Allow Dashboard to get metrics. - apiGroups: [""] resources: ["services"] resourceNames: ["heapster", "dashboard-metrics-scraper"] verbs: ["proxy"] - apiGroups: [""] resources: ["services/proxy"] resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] verbs: ["get"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard rules: # Allow Metrics Scraper to get metrics from the Metrics server - apiGroups: ["metrics.k8s.io"] resources: ["pods", "nodes"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kubernetes-dashboard subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubernetes-dashboard subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kubernetes-dashboard --- kind: Deployment apiVersion: apps/v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: k8s-app: kubernetes-dashboard template: metadata: labels: k8s-app: kubernetes-dashboard spec: containers: - name: kubernetes-dashboard image: kubernetesui/dashboard:v2.2.0 imagePullPolicy: Always ports: - containerPort: 8443 protocol: TCP args: - --auto-generate-certificates - --namespace=kubernetes-dashboard # Uncomment the following line to manually specify Kubernetes API server Host # If not specified, Dashboard will attempt to auto discover the API server and connect # to it. Uncomment only if the default does not work. # - --apiserver-host=http://my-address:port volumeMounts: - name: kubernetes-dashboard-certs mountPath: /certs # Create on-disk volume to store exec logs - mountPath: /tmp name: tmp-volume livenessProbe: httpGet: scheme: HTTPS path: / port: 8443 initialDelaySeconds: 30 timeoutSeconds: 30 securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 2001 volumes: - name: kubernetes-dashboard-certs secret: secretName: kubernetes-dashboard-certs - name: tmp-volume emptyDir: {} serviceAccountName: kubernetes-dashboard nodeSelector: "kubernetes.io/os": linux # Comment the following tolerations if Dashboard must not be deployed on master tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule --- kind: Service apiVersion: v1 metadata: labels: k8s-app: dashboard-metrics-scraper name: dashboard-metrics-scraper namespace: kubernetes-dashboard spec: ports: - port: 8000 targetPort: 8000 selector: k8s-app: dashboard-metrics-scraper --- kind: Deployment apiVersion: apps/v1 metadata: labels: k8s-app: dashboard-metrics-scraper name: dashboard-metrics-scraper namespace: kubernetes-dashboard spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: k8s-app: dashboard-metrics-scraper template: metadata: labels: k8s-app: dashboard-metrics-scraper annotations: seccomp.security.alpha.kubernetes.io/pod: \'runtime/default\' spec: containers: - name: dashboard-metrics-scraper image: kubernetesui/metrics-scraper:v1.0.6 ports: - containerPort: 8000 protocol: TCP livenessProbe: httpGet: scheme: HTTP path: / port: 8000 initialDelaySeconds: 30 timeoutSeconds: 30 volumeMounts: - mountPath: /tmp name: tmp-volume securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsUser: 1001 runAsGroup: 2001 serviceAccountName: kubernetes-dashboard nodeSelector: "kubernetes.io/os": linux # Comment the following tolerations if Dashboard must not be deployed on master tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule volumes: - name: tmp-volume emptyDir: {}
附录代码五:dashboard-svc-account.yaml
############## ##配置dashboard管理员账号## ############## apiVersion: v1 kind: ServiceAccount metadata: name: dashboard-admin namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: dashboard-admin roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: dashboard-admin namespace: kube-system
附录代码六:kubernetes_node02.sh
#!/bin/bash ############## ##子节点## ############## #### 第一部分,环境初始化 #### #k8s版本 version=v1.21.0 kubelet=kubelet-1.21.0-0.x86_64 kubeadm=kubeadm-1.21.0-0.x86_64 kubectl=kubectl-1.21.0-0.x86_64 #集群加入方式 key=/root/key.txt #部署flannel网络 flannel=/root/kube-flannel.yml #安装必要依赖 yum -y install vim wget git cmake make gcc gcc-c++ net-tools lrzsz #### 第二部分,节点配置 #### #配置节点,主机解析,免密登录 node01=172.17.10.4 node02=172.17.10.7 # node03=192.168.1.30 hostnamectl set-hostname node02 echo \'172.17.10.4 node01 172.17.10.7 node02\' >> /etc/hosts ssh-keygen ssh-copy-id -i $node01 ssh-copy-id -i $node02 # ssh-copy-id -i $node03 scp /etc/hosts node02:/etc/hosts # scp /etc/hosts node03:/etc/hosts #关闭防火墙 systemctl stop firewalld systemctl disable firewalld #swap分区关闭 swapoff -a sed -i \'s/.*swap.*/#&/\' /etc/fstab #关闭沙盒 setenforce 0 sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config #打开ipv6 modprobe br_netfilter modprobe ip_vs_rr cat <<EOF > /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 vm.swappiness = 0 EOF sysctl -p /etc/sysctl.d/k8s.conf ls /proc/sys/net/bridge #### 第三部分,参数/源处理 #### #安装epel源 yum install -y epel-release yum install -y yum-utils device-mapper-persistent-data lvm2 net-tools conntrack-tools wget vim ntpdate libseccomp libtool-ltdl #时区校准 systemctl enable ntpdate.service echo \'*/30 * * * * /usr/sbin/ntpdate time7.aliyun.com >/dev/null 2>&1\' > /tmp/crontab2.tmp crontab /tmp/crontab2.tmp systemctl start ntpdate.service #添加参数 echo "* soft nofile 65536" >> /etc/security/limits.conf echo "* hard nofile 65536" >> /etc/security/limits.conf echo "* soft nproc 65536" >> /etc/security/limits.conf echo "* hard nproc 65536" >> /etc/security/limits.conf echo "* soft memlock unlimited" >> /etc/security/limits.conf echo "* hard memlock unlimited" >> /etc/security/limits.conf #添加kubernetes的epel源 echo \'[kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg\' > /etc/yum.repos.d/kubernetes.repo #下载 sudo yum-config-manager \ --add-repo \ https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo yum makecache fast #### 第四部分,开始安装 #### yum -y install docker-ce yum install --enablerepo="kubernetes" $kubelet $kubeadm $kubectl systemctl enable kubelet.service && systemctl start kubelet.service systemctl start docker.service && systemctl enable docker.service #安装tab快捷键 yum -y install bash-completion && source /usr/share/bash-completion/bash_completion && source <(kubectl completion bash) && echo "source <(kubectl completion bash)" >> ~/.bashrc #创建集群 docker pull quay.io/coreos/flannel:v0.12.0-amd64 echo \'请手动查看主节点$key文件的密钥将其他节点接入集群\'
附录代码七:mandatory.yaml
############## ##配置ingress-nginx服务## ############## apiVersion: v1 kind: Namespace metadata: name: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- kind: ConfigMap apiVersion: v1 metadata: name: nginx-configuration namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- kind: ConfigMap apiVersion: v1 metadata: name: tcp-services namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- kind: ConfigMap apiVersion: v1 metadata: name: udp-services namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- apiVersion: v1 kind: ServiceAccount metadata: name: nginx-ingress-serviceaccount namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: nginx-ingress-clusterrole labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx rules: - apiGroups: - "" resources: - configmaps - endpoints - nodes - pods - secrets verbs: - list - watch - apiGroups: - "" resources: - nodes verbs: - get - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "extensions" - "networking.k8s.io" resources: - ingresses verbs: - get - list - watch - apiGroups: - "extensions" - "networking.k8s.io" resources: - ingresses/status verbs: - update --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: nginx-ingress-role namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx rules: - apiGroups: - "" resources: - configmaps - pods - secrets - namespaces verbs: - get - apiGroups: - "" resources: - configmaps resourceNames: # Defaults to "<election-id>-<ingress-class>" # Here: "<ingress-controller-leader>-<nginx>" # This has to be adapted if you change either parameter # when launching the nginx-ingress-controller. - "ingress-controller-leader-nginx" verbs: - get - update - apiGroups: - "" resources: - configmaps verbs: - create - apiGroups: - "" resources: - endpoints verbs: - get --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: nginx-ingress-role-nisa-binding namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: nginx-ingress-role subjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: nginx-ingress-clusterrole-nisa-binding labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: nginx-ingress-clusterrole subjects: - kind: ServiceAccount name: nginx-ingress-serviceaccount namespace: ingress-nginx --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-ingress-controller namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx template: metadata: labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx annotations: prometheus.io/port: "10254" prometheus.io/scrape: "true" spec: hostNetwork: true # wait up to five minutes for the drain of connections terminationGracePeriodSeconds: 300 serviceAccountName: nginx-ingress-serviceaccount nodeSelector: Ingress: nginx kubernetes.io/os: linux containers: - name: nginx-ingress-controller image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.29.0 args: - /nginx-ingress-controller - --configmap=$(POD_NAMESPACE)/nginx-configuration - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --publish-service=$(POD_NAMESPACE)/ingress-nginx - --annotations-prefix=nginx.ingress.kubernetes.io - --http-port=8080 # 如果你的master服务器已经安装了nginx,这里需要修改下,否则无法启动ingress-nginx服务 - --https-port=8443 # 同上 securityContext: allowPrivilegeEscalation: true capabilities: drop: - ALL add: - NET_BIND_SERVICE # www-data -> 101 runAsUser: 101 env: - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace ports: - name: http containerPort: 80 protocol: TCP - name: https containerPort: 443 protocol: TCP livenessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 readinessProbe: failureThreshold: 3 httpGet: path: /healthz port: 10254 scheme: HTTP periodSeconds: 10 successThreshold: 1 timeoutSeconds: 10 lifecycle: preStop: exec: command: - /wait-shutdown --- apiVersion: v1 kind: LimitRange metadata: name: ingress-nginx namespace: ingress-nginx labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx spec: limits: - min: memory: 90Mi cpu: 100m type: Container
参考文献:
https://blog.csdn.net/qq_37746855/article/details/116173976
https://blog.csdn.net/weixin_46152207/article/details/111355788
https://blog.csdn.net/catcher92/article/details/116207040
https://blog.51cto.com/u_14306186/2523096