1-2 k8s-1.17-基于flanne · 運維工作筆記

#### 基礎環境 | 系統 | IP地址 | 節點角色 | CPU | 內存 | 主機名 | | :------------: | :------------: | :------------: | :------------: | :------------: | :------------: | | centos-7.8 |192.168.88.101 | Master | 2 | 2G | docker-2-12-101 | | centos-7.8 |192.168.88.102 | Node| 2 | 2G |docker-2-12-102 | | centos-7.8 |192.168.88.103 | Node| 2 | 2G | docker-2-12-103 | #### 系統初始化部署依賴 ``` yum update yum install -y conntrack ipvsadm ipset jq sysstat curl iptables libseccomp ``` 內核參數優化 ``` cat > /etc/sysctl.d/kubernetes.conf <<EOF net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-ip6tables=1 net.ipv4.ip_forward=1 vm.swappiness=0 vm.overcommit_memory=1 vm.panic_on_oom=0 fs.inotify.max_user_watches=89100 EOF sysctl -p /etc/sysctl.d/kubernetes.conf ``` 關閉服務 ``` # 關閉防火墻 systemctl stop firewalld && systemctl disable firewalld # 重置iptables iptables -F && iptables -X && iptables -F -t nat && iptables -X -t nat && iptables -P FORWARD ACCEPT # 關閉swap(基于性能考慮，初始化參數可以忽略) swapoff -a sed -i '/swap/s/^$.*$$/#\1/g' /etc/fstab # 關閉selinux setenforce 0 # 關閉dnsmasq(否則可能導致docker容器無法解析域名) service dnsmasq stop && systemctl disable dnsmasq ``` 初始化主機名 ``` cat >> /etc/hosts << EOF 192.168.88.101 main-101 c7-docker-101 192.168.88.102 node-102 c7-docker-102 192.168.88.103 node-103 c7-docker-103 EOF ``` 修改Docker的驅動模式為systemmd，請先確認方式一沒有配置/etc/docker/daemon.json ``` cat /etc/docker/daemon.json { ..... "exec-opts": ["native.cgroupdriver=systemd"] ..... } ``` 安裝工具（所有節點） ``` # 配置阿里云yum源 cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=0 repo_gpgcheck=0 gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF # 安裝 yum install -y kubelet-1.17.9 kubeadm-1.17.9 kubectl-1.17.9 # 啟動不符 systemctl enable kubelet && systemctl start kubelet ``` #### 初始化K8s需要的容器鏡像 ``` kubeadm init \ --apiserver-advertise-address=192.168.88.101 \ --image-repository registry.aliyuncs.com/google_containers \ --kubernetes-version v1.17.9 \ --service-cidr=10.96.0.0/12 \ --pod-network-cidr=10.244.0.0/16 # 配置文件中從阿里云拉取的容器鏡像，速度很快 # 1.16之后參數有變化 experimental-upload-certs更換為upload-certs ``` 初始化管理服務器配置 ``` mkdir -p ~/.kube cp -i /etc/kubernetes/admin.conf ~/.kube/config ``` ##### Node節點加入集群 ``` kubeadm join 192.168.88.233:6443 --token xzp2kb.habisql3vkgyx02d \ --discovery-token-ca-cert-hash sha256:4526f6e8f08a5c5564e5488c5b939753ee26b7fd0c8ca81423af2d4a58c718a6 ``` 如果你忘記了，可以再創建一次加入集群命令 ``` kubeadm token create --print-join-command ``` #### 初始化flannel網絡 ``` # 指定文件啟動 1.17版本之后使用 kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml # 查看狀態 kubectl get pods -n kube-system ``` #### 部署dashboard ``` # 根據版本下載 https://github.com/kubernetes/dashboard/releases # 修改文件,發布端口 spec: type: NodePort ports: - port: 443 targetPort: 8443 nodePort: 30001 # 創建服務 kubectl apply -f /opt/recommended.yaml # 查看服務運行情況 kubectl get services kubernetes-dashboard -n kube-system kubectl --namespace kube-system get pods -o wide ``` 設置dashboard權限 k8s-dashboard-create-admin.yaml ``` apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard # 創建了一個admin-user的用戶，并綁定在kubernetes-dashboard的命名空間下 --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard # 把cluster-admin的角色綁定到admin-user ``` 網上也有人綁定在kube-system空間下，目前還不是很明白獲取token ``` kubectl apply -f k8s-dashboard-create-admin.yaml kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}') ``` 手動建立 ``` # 創建service account kubectl create sa admin-user -n kube-system # 創建角色綁定關系 kubectl create clusterrolebinding admin-user --clusterrole=cluster-admin --serviceaccount=kube-system:admin-user # 獲取token kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}') ``` 訪問node節點IP:30001，然后用toke登錄即可