K8S介绍并使用kubeadm安装k8s1.26.3-Day 01
1. 云原生介绍
1.1 云原生简介
1.2 云原生定义
官网地址:https://github.com/cncf/toc/blob/main/DEFINITION.md#%E4%B8%AD%E6%96%87%E7%89%88%E6%9C%AC
云原生技术有利于各组织在公有云、私有云和混合云等新型动态环境中,构建和运行可弹性扩展的应用。
云原生的代表技术包括容器、服务网格、微服务、不可变基础设施和声明式API。
1.3 云原生技术栈
1.4 云原生景观图
官网地址:https://landscape.cncf.io/
1.5 云原生项目分类
2. K8S介绍
2.1 K8S的来源
2.2 容器化部署的演变过程
2.3 k8s逻辑架构
2.4 K8s组件介绍
2.4.1 kube-apiserver
2.4.1.1 kube-apiserver介绍
Kubernetes API server 提供了k8s各类资源对象的增删改查及watch等HTTP Rest接口,这些对象包括pods、services、
replicationcontrollers等,API Server为REST操作提供服务,并为集群的共享状态提供前端,所有其他组件都通过该前端进行交互,所有交互过程中还包含了鉴权(检测请求是否有权限)和准入(有权限的能行,没权限的报错)。
2.4.1.2 Pod创建过程
(1)客户端请求api-server,api-server收到请求后会先进行权限验证,只有具备相应权限的请求才准入,然后把数据(yaml)写入到etcd中。
(2)由于Scheduler是一直watch(监测)着api-server的,他就会收到这个新的事件,来进行综合的一个调度(预选、优选),调度完成后,返回结果到api-server,由api-server把调度结果写入到etcd。
(3)在node节点上,kubelet会按照事件信息(使用的镜像、容器名、暴露的端口等),来调用容器运行时(docker或者containerd)来对容器进行创建,并把创建结果返回给api-server,由api-server。
(4)在这个过程中,kube-proxy也会从api-server获取到网络事件信息,再调用宿主机内核来修改iptables或者ipvs的规则(如果有nodeport或者netHost的话,外部就能访问了)。
2.4.1.3 Api-Server鉴权准入流程
(1)客户端的请求会先到Api-server进行身份验证(鉴权,验证config配置文件中的证书和key是否合法),api-servcer的地址和客户端的权限信息,默认均来自/root/.kube/config文件,其中server的配置就是api-server地址,由于生产api-server基本都由3个副本组成高可用集群,所以可以把api-server地址放到负载均衡中,然后把负载均衡地址写到config配置文件中。(2)到这里身份验证通过了,证明我们有了一个合法的身份能够和apiserver进行交互,接下来就是验证请求的合法性,比如客户端有一个操作yaml的请求,apiserver会验证yaml的数据是不是正常的(比如少没少字段,缩进有没有问题啥的),有异常的话也是直接报错。(3)如果第二步的请求验证通过的话,这部分数据就会写入到etcd中。
2.4.1.4 Api-Server版本介绍
2.4.1.5 K8s公有云环境架构
2.4.2 kube-scheduler
2.4.2.1 kube-scheduler介绍
kube-scheduler是一个控制面(管理)进程(控制器管理器),负责将 Pods 按照一定的调度策略指派到目的节点上。
kube-scheduler负责分配调度Pod到集群内的节点上,它监听kube-apiserver,查询还未分配Node的Pod,然后根据调度策略为这些Pod分配节点(更新Pod的NodeName字段,也就是pod绑定node),调度完毕后,再把数据返回给api server,由api server把调度结果写入到etcd。
2.4.2.2 调度策略
官方文档:https://v1-26.docs.kubernetes.io/zh-cn/docs/reference/scheduling/policies/
2.4.2.3 调度过程
2.4.3 kube-controller-manager
控制器管理器
2.4.3.1 kube-controller-manager介绍
当pod调度成功并创建后,就由controller-manager来保障pod的稳定运行
controller-manager是Kubernetes的大脑,它通过apiserver监测etcd,来获取整个集群的状态,并确保集群处于预期的工作状态。Controller Manager(控制器管理器)还包括一些子控制器(副本控制器、节点控制器、命名空间控制器和服务账号控制器等),
控制器作为集群内部的管理控制中心,负责集群内的Node、Pod副本、服务端点(Endpoint)、命名空间(Namespace)、服务账号
(ServiceAccount)、资源定额(ResourceQuota)的管理,当某个Node意外宕机时,Controller Manager会及时发现并执行自动化修复
流程,确保集群中的pod副本始终处于预期的工作状态。controller-manager控制器每间隔5秒检查一次节点的状态。
如果controller-manager控制器没有收到自节点的心跳,则将该node节点被标记为不可达。
controller-manager将在标记为无法访问之前等待40秒。
如果该node节点被标记为无法访问后5分钟还没有恢复,controller-manager会删除当前node节点的所有pod并在其它可用节点重建这些
pod。
2.4.3.2 kube-controller-manager高可用
2.4.4 kube-proxy
2.4.4.1 kube-proxy介绍
kube-proxy主要作用是在node上实现容器间的互相访问的,实现方法主要是靠维护节点上的ipvs和iptables规则,来实现目的报文转发。
并且这些规则不需要人为去维护,都是由kube-proxy自动去维护的。
比如访问k8s集群内部域名(xx.svc),其实就是svc代理请求到后端的pod上,也是基于ipvs或iptables规则实现的。
我们每删除或新增一个pod,kube-porxy都会对规则进行相应的变更,kube-proxy为什么会知道呢,是因为它也是一直监听这api-server的。
当我们请求涉及到跨主机时,还会去读我们机器上的路由表(由flannel或calico维护),来实现请求。kube-proxy目前仅支持TCP和UDP,不支持HTTP路由,并且也没有健康检查机制。这些可以通过自定义Ingress Controller的方法来解决。
2.4.4.2 iptable和ipvs
k8s从1.11版本开始,默认就使用ipvs了,原因是因为iptables的性能会有瓶颈,比如node节点已经成百上千了,这个时候就不适合使用iptables了。
2.4.4.3 配置使用IPVS及指定调度算法
2.4.4.4 会话保持
如果希望一段时间内,同一个客户端地址的请求,都转发到同一个pod,可以进行如下配置
2.4.5 kubelet
kubelet是运行在每个worker节点的代理组件,它会监视已分配给节点的pod,具体功能如下:
(1)向api server汇报node节点的状态信息。
(2)接受指令并在Pod中创建 容器(增删改查操作,可以通过配置不同的参数,来调用不同的容器运行时,kubelet --help|grep sock)。
(3)准备Pod所需的数据卷。
(4)返回pod的运行状态。
(5)在node节点执行容器健康检查。
并且创建完毕后,还会定期上报node节点信息和pod状态信息到api server,再存到etcd。
2.4.6 kubectl
是一个通过命令行对kubernetes集群进行管理的客户端工具。kubectl 在 $HOME/.kube 目录中查找一个名为 config 的配置文件。可以通过设置 KUBECONFIG 环境变量或设置 --kubeconfig参数来指定其它 kubeconfig 文件。
2.4.7 etcd
etcd 是CoreOS公司开发目前是Kubernetes默认使用的key-value数据存储系统,用于保存kubernetes的所有集群数据,etcd支持
分布式集群功能,生产环境使用时需要为etcd数据提供定期备份机制。
2.4.8 CoreDNS
DNS负责为整个集群提供DNS服务,从而实现服务之间的访问。(1)解析Kubernetes服务和Pod的DNS名称。当Pod访问其他Pod、Service或外部服务时,需要使用DNS名称来进行通信。
(2)支持服务发现和负载均衡。CoreDNS会自动将Service名称解析为对应的后端Pod IP地址,并且会提供一些扩展的DNS记录类型(如:SRV记录)来支持负载均衡等功能。
(3)支持自定义域名解析。Kubernetes集群中的应用可以使用自定义的域名来进行通信,CoreDNS可以支持这些自定义域名的解析。
(4)支持插件扩展。CoreDNS可以通过插件扩展功能,比如:支持Prometheus监控、支持DNSSEC安全等。# 版本
sky-dns # 早期使用
kube-dns: 1.18 # 1.18停止使用
coredns # 现在主流
2.4.9 Dashboard
Dashboard是基于网页的Kubernetes用户界面,可以使用Dashboard获取运行在集群中的应用的概览信息,也可以创建或者修改Kubernetes资源(如 Deployment,Job,DaemonSet 等等),也可以对Deployment实现弹性伸缩、发起滚动升级、删除 Pod 或者使用向导创建新的应用。
3. containerd安装
3.1 containerd介绍
官方文档:https://github.com/containerd/containerd
containerd 是行业标准的容器运行时,强调简单性、健壮性和可移植性。它可以作为Linux和Windows的守护进程,可以管理其主机系统的整个容器生命周期:映像传输和存储,容器执行和监督,低级存储和网络附件等。并且在containerd中也有namespace这个概念,但是与linux namespace和k8s的namespace无关。
3.2 常见的容器运行时
(1)runc:目前docker和containerd默认的runtime,基于go语言开发,遵循oci规范。
(2)redhat退出的运行时,基于c语言开发,集成在podman内部,遵循oci规范。
(3)gVisor:google推出的运行时,基于go语言开发,遵循oci规范。并且容器运行时还细分为高级和低级
(1)High-Level:高级运行时提供基于API的远程管理操作,客户端可以通过高级别运行时管理容器的整个生命周期(创建、删除、重启、停止),高级别运行时并不真正直接运行容器,而是调用低级别运行时运行,比如dockerd、containerd都是高级别运行时。(2)Low-Level:接受高级别运行时的指令,按照响应的指令运行容器,因此低级别运行时真是运行容器的地方,例如runc。
1.24版本前,k8s创建容器流程
k8s支持运行时图解
3.3 二进制安装containerd
通过官方二进制安装containerd、runc及CNIkubernetes从v1.24.0开始默认使用containerd作为容器运行时,因此需要提前安装好containerd之后在安装v1.24或更高版本的kubernetes(如果要继续使用docker,则需要单独安装docker及cri-dockerd、https:/lgithub.com/Mirantis/cri-dockerd)。
3.3.1 下载安装包并解压
官网地址:https://github.com/containerd/containerd/releases/tag/v1.6.20
[root@containerd ~]# wget https://github.com/containerd/containerd/releases/download/v1.6.20/containerd-1.6.20-linux-amd64.tar.gz[root@containerd ~]# ll -h
total 43M
-rw-r--r-- 1 root root 43M Apr 12 15:27 containerd-1.6.20-linux-amd64.tar.gz[root@containerd ~]# tar xf containerd-1.6.20-linux-amd64.tar.gz
[root@containerd ~]# ll bin/
total 125756
-rwxr-xr-x 1 root root 52255608 Mar 31 04:51 containerd
-rwxr-xr-x 1 root root 7352320 Mar 31 04:51 containerd-shim
-rwxr-xr-x 1 root root 9469952 Mar 31 04:51 containerd-shim-runc-v1
-rwxr-xr-x 1 root root 9486336 Mar 31 04:51 containerd-shim-runc-v2
-rwxr-xr-x 1 root root 23079704 Mar 31 04:51 containerd-stress
-rwxr-xr-x 1 root root 27126424 Mar 31 04:51 ctr
3.3.2 安装containerd并验证
[root@containerd ~]# cp bin/* /usr/local/bin/
[root@containerd ~]# containerd -v # 能显示版本表示安装成功
containerd github.com/containerd/containerd v1.6.20 2806fc1057397dbaeefbea0e4e17bddfbd388f38
3.2.3 配置systemd管理containerd的启停
官网文档:https://raw.githubusercontent.com/containerd/containerd/main/containerd.service
[root@containerd ~]# cat /lib/systemd/system/containerd.service
# Copyright The containerd Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.[Unit]
Description=containerd container runtime
Documentation=https://containerd.io
After=network.target local-fs.target[Service]
#uncomment to enable the experimental sbservice (sandboxed) version of containerd/cri integration
#Environment="ENABLE_CRI_SANDBOXES=sandboxed"
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/local/bin/containerdType=notify
Delegate=yes
KillMode=process
Restart=always
RestartSec=5
# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=infinity
# Comment TasksMax if your systemd version does not supports it.
# Only systemd 226 and above support this version.
TasksMax=infinity
OOMScoreAdjust=-999[Install]
WantedBy=multi-user.target
3.2.4 编辑配置⽂件
[root@containerd ~]# mkdir /etc/containerd
[root@containerd ~]# containerd config default > /etc/containerd/config.toml# 修改配置文件
sandbox_image = "registry.k8s.io/pause:3.6" # 沙箱镜像,提供pod的底层网络的,这个值默认是国外地址,可修改为国内地址,修改为如下值:
sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.7" # 修改后的值[plugins."io.containerd.grpc.v1.cri".registry.mirrors] # 镜像仓库地址,这个也需要修改为国内的镜像仓库地址,做镜像加速。具体修改如下:
[plugins."io.containerd.grpc.v1.cri".registry.mirrors][plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] # 就是加了这一行和下面这行endpoint = ["https://9916w1ow.mirror.aliyuncs.com"]
3.2.5 启动containerd
[root@containerd ~]# systemctl start containerd
[root@containerd ~]# systemctl enable containerd
[root@containerd ~]# systemctl status containerd
● containerd.service - containerd container runtimeLoaded: loaded (/usr/lib/systemd/system/containerd.service; enabled; vendor preset: disabled)Active: active (running) since Wed 2023-04-12 16:08:16 CST; 7s ago[root@containerd ~]# ll /run/containerd/containerd.sock
srw-rw---- 1 root root 0 Apr 12 16:08 /run/containerd/containerd.sock
3.4 安装runc
官网地址:https://github.com/opencontainers/runc/releases
3.4.1 下载安装包
[root@containerd ~]# wget https://github.com/opencontainers/runc/releases/download/v1.1.6/runc.amd64
[root@containerd ~]# ll -th
total 52M
-rw-r--r-- 1 root root 9.0M Apr 12 16:25 runc.amd64[root@containerd ~]# chmod a+x runc.amd64
[root@containerd ~]# mv runc.amd64 /usr/bin/runc
3.4.2 下载测试镜像并验证
[root@containerd ~]# ctr images pull docker.io/library/alpine:latest
docker.io/library/alpine:latest: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126: done |++++++++++++++++++++++++++++++++++++++| manifest-sha256:b6ca290b6b4cdcca5b3db3ffa338ee0285c11744b4a6abaa9627746ee3291d8d: done |++++++++++++++++++++++++++++++++++++++| config-sha256:9ed4aefc74f6792b5a804d1d146fe4b4a2299147b0f50eaf2b08435d7b38c27e: done |++++++++++++++++++++++++++++++++++++++| layer-sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09: done |++++++++++++++++++++++++++++++++++++++| elapsed: 7.7 s total: 3.2 Mi (428.2 KiB/s) unpacking linux/amd64 sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126...
done: 218.339004ms[root@containerd ~]# ctr images ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/library/alpine:latest application/vnd.docker.distribution.manifest.list.v2+json sha256:124c7d2707904eea7431fffe91522a01e5a861a624ee31d03372cc1d138a3126 3.2 MiB linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le,linux/s390x -
3.4.3 ctr客户端创建测试容器
[root@containerd ~]# ctr run -t --net-host docker.io/library/alpine:latest test-container sh
/ # ls
bin dev etc home lib media mnt opt proc root run sbin srv sys tmp usr var
/ # exit
到这里,containerd就算是安装完成了,但是这个containerd是不能被k8s调用的,因为没有安装CNI插件
3.5 containerd客户端⼯具扩展
介绍crictl及nerdctl的使⽤
3.5.1 客户端工具种类
(1)自带的ctr # 超级难用
(2)kubernetes-sigs的crictl # 这个也不咋地
(3)containerd官网推荐的nerdctl(docker开源) # 这个客户端工具操作起来基本和docker客户端工具差不多
3.5.2 下载安装nerdctl
官网地址:https://github.com/containerd/nerdctl
[root@containerd ~]# wget https://github.com/containerd/nerdctl/releases/download/v1.3.0/nerdctl-1.3.0-linux-amd64.tar.gz[root@containerd ~]# ll -th
total 51M
-rw------- 1 root root 8.9M Apr 12 16:47 nerdctl-1.3.0-linux-amd64.tar.gz
[root@containerd ~]# tar xf nerdctl-1.3.0-linux-amd64.tar.gz -C /usr/local/bin/[root@containerd ~]# nerdctl ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
test-contain docker.io/library/alpine:latest "sh" 24 minutes ago Created
3.5.3 修改配置文件
[root@containerd ~]# mkdir /etc/nerdctl/
[root@containerd ~]# vim /etc/nerdctl/nerdctl.toml
namespace = "k8s.io" # 指定默认的ns
debug = false
debug_full = false
insecure_registry = true # 启用非安全的镜像仓库
3.6 安装CNI网络插件
默认情况下,创建的容器只能使用–net-host网络,如果想使用docker一样的桥接网络,就必须安装该插件
3.6.1 下载并安装
[root@containerd ~]# wget https://github.com/containernetworking/plugins/releases/download/v1.2.0/cni-plugins-linux-amd64-v1.2.0.tgz
[root@containerd ~]# ll -th
total 90M
-rw-r--r-- 1 root root 39M Apr 12 17:21 cni-plugins-linux-amd64-v1.2.0.tgz[root@containerd ~]# mkdir /opt/cni/bin -p
[root@containerd ~]# tar xvf cni-plugins-linux-amd64-v1.2.0.tgz -C /opt/cni/bin/
./
./loopback
./bandwidth
./ptp
./vlan
./host-device
./tuning
./vrf
./sbr
./dhcp
./static
./firewall
./macvlan
./dummy
./bridge
./ipvlan
./portmap
./host-local
3.6.2 创建Nginx测试容器并指定端⼝
[root@containerd ~]# nerdctl run -p 80:80 -d nginx
[root@containerd ~]# nerdctl ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f57e42ef7f39 docker.io/library/nginx:latest "/docker-entrypoint.…" 5 seconds ago Up 0.0.0.0:80->80/tcp nginx-f57e4[root@containerd ~]# curl -I localhost
HTTP/1.1 200 OK
Server: nginx/1.23.4
Date: Wed, 12 Apr 2023 09:30:05 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 28 Mar 2023 15:01:54 GMT
Connection: keep-alive
ETag: "64230162-267"
Accept-Ranges: bytes[root@containerd ~]# iptables -t nat -vnL # 这里和docker有点不一样,映射的端口没法通过ss命令查看,只能通过iptables规则来查看
……省略部分内容
Chain CNI-DN-3bab9412690a86a5a3556 (1 references)pkts bytes target prot opt in out source destination 0 0 CNI-HOSTPORT-SETMARK tcp -- * * 10.4.0.0/24 0.0.0.0/0 tcp dpt:801 60 CNI-HOSTPORT-SETMARK tcp -- * * 127.0.0.1 0.0.0.0/0 tcp dpt:801 60 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.4.0.3:80
3.6.3 创建Tomcat测试容器并指定端⼝
[root@containerd ~]# nerdctl run -d -p 8080:8080 --name=tomcat --restart=always tomcat
[root@containerd ~]# nerdctl ps -l
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0ddecf9acc42 docker.io/library/tomcat:latest "catalina.sh run" 10 seconds ago Up 0.0.0.0:8080->8080/tcp tomcat
4. kubeadm安装k8s+containerd
4.1 配置要求
准备3台机器,1M2n,本环境作为学习环境,所以不需要高可用。
root@k8s-master1
root@k8s-node1
root@k8s-node2
4.2 安装containerd
安装过程跟上面一样,只是用脚本代替了
[root@k8s-master1 ~]# tar xf runtime-docker20.10.19-containerd1.6.20-binary-install.tar.gz
[root@k8s-master1 ~]# sh runtime-install.sh containerd[root@k8s-node1 ~]# tar xf runtime-docker20.10.19-containerd1.6.20-binary-install.tar.gz
[root@k8s-node1 ~]# sh runtime-install.sh containerd[root@k8s-node2 ~]# tar xf runtime-docker20.10.19-containerd1.6.20-binary-install.tar.gz
[root@k8s-node2 ~]# sh runtime-install.sh containerd~]# vim /etc/containerd/config.toml # 这里安装完了后 所有机器都要修改containerd的cgroups为systemd,因为kubelet是用的systemd,不改会报错
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]…………SystemdCgroup = true~]# systemctl restart containerd
4.3 安装kubeadm、kubectl、kubelet(1.26.3)
4.3.1 配置hosts文件、kubernetes的yun源
所有机器相同操作
~]# cat /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.31.200.100 k8s-master1
10.31.200.101 k8s-node1
10.31.200.102 k8s-node2~]# vim /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=kubernetes
baseurl=https://mirrors.tuna.tsinghua.edu.cn/kubernetes/yum/repos/kubernetes-el7-$basearch
enabled=1~]# yum makecache~]# yum list kubeadm --showduplicates | sort -r # 选择指定版本
4.3.2 安装kubeadm、kubectl、kubelet(1.26.3)
所有机器相同操作
~]# yum -y install --nogpgcheck kubeadm-1.26.3-0 kubelet-1.26.3-0 kubectl-1.26.3-0
4.4 下载kubenetes镜像
master节点操作
[root@k8s-master1 ~]# kubeadm config images list --kubernetes-version v1.26.3 # 指定镜像版本
registry.k8s.io/kube-apiserver:v1.26.3
registry.k8s.io/kube-controller-manager:v1.26.3
registry.k8s.io/kube-scheduler:v1.26.3
registry.k8s.io/kube-proxy:v1.26.3
registry.k8s.io/pause:3.9
registry.k8s.io/etcd:3.5.6-0
registry.k8s.io/coredns/coredns:v1.9.3# 由于镜像默认都在国外 所以这里需要把镜像地址改到国内
## 方法1
[root@k8s-master1 ~]# cat images-down.sh
#!/bin/bash
nerdctl pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.26.3
nerdctl pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.26.3
nerdctl pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.26.3
nerdctl pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.26.3
nerdctl pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9
nerdctl pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.5.6-0
nerdctl pull registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:v1.9.3## 方法2
[root@k8s-master1 ~]# kubeadm config images pull --image-repository="registry.cn-hangzhou.aliyuncs.com/google_containers" --kubernetes-version=v1.26.3# 这里我使用第二种办法
[root@k8s-master1 ~]# kubeadm config images pull --image-repository="registry.cn-hangzhou.aliyuncs.com/google_containers" --kubernetes-version=v1.26.3
[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.26.3
[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.26.3
[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.26.3
[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.26.3
[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9
[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.5.6-0
[config/images] Pulled registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:v1.9.3
4.5 内核参数优化
所有机器相同操作
~]# cat /etc/sysctl.conf
net.ipv4.ip_forward=1
vm.max_map_count=262144
kernel.pid_max=4194303
fs.file-max=1000000
net.ipv4.tcp_max_tw_buckets=6000
net.netfilter.nf_conntrack_max=2097152
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness=0# 内核模块开机挂载
~]# cat /etc/sysconfig/modules/ipvs.modules
#!/bin/bash
ipvs_modules="ip_vs ip_vs_lc ip_vs_lblc ip_vs_lblcr ip_vs_rr ip_vs_wrr ip_vs_sh ip_vs_dh ip_vs_fo ip_vs_nq ip_vs_sed ip_vs_ftp ip_vs_sh ip_tables ip_set ipt_set ipt_rpfilter ipt_REJECT ipip xt_set br_netfilter nf_conntrack overlay"
for kernel_module in ${ipvs_modules}; do/sbin/modinfo -F filename ${kernel_module} > /dev/null 2>&1if [ $? -eq 0 ]; then/sbin/modprobe ${kernel_module}fi
done~]# chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep ip_vs
ip_vs_ftp 13079 0
nf_nat 26583 1 ip_vs_ftp
ip_vs_sed 12519 0
ip_vs_nq 12516 0
ip_vs_dh 12688 0
ip_vs_sh 12688 0
ip_vs_wrr 12697 0
ip_vs_rr 12600 0
ip_vs_lblcr 12922 0
ip_vs_lblc 12819 0
ip_vs_lc 12516 0
ip_vs 145497 20 ip_vs_dh,ip_vs_lc,ip_vs_nq,ip_vs_rr,ip_vs_sh,ip_vs_ftp,ip_vs_sed,ip_vs_wrr,ip_vs_lblcr,ip_vs_lblc
nf_conntrack 139224 2 ip_vs,nf_nat
libcrc32c 12644 4 xfs,ip_vs,nf_nat,nf_conntrack~]# sysctl -p
net.ipv4.ip_forward = 1
vm.max_map_count = 262144
kernel.pid_max = 4194303
fs.file-max = 1000000
net.ipv4.tcp_max_tw_buckets = 6000
net.netfilter.nf_conntrack_max = 2097152
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness = 0
4.6 kubernetes集群初始化
4.6.1 参数介绍
官方文档:https://v1-26.docs.kubernetes.io/zh-cn/docs/reference/setup-tools/kubeadm/kubeadm-init/
--apiserver-advertise-address=10.31.200.100 # apiserver的地址,这里我写的宿主机IP,因为只有一台master,所以也就是说apiserver没有高可用
--apiserver-bind-port=6443 # apiserver端口
--kubernetes-version=v1.26.3 # k8s版本
--pod-network-cidr=10.100.0.0/16 # pod网络,这个网络最好规划的大一些,防止pod变多后,IP地址不够用,并且该网段不能和公司所有网段相同,不然会出问题
--service-cidr=10.200.0.0/16 # svc网络,注意不能和公司现有网络冲突
--service-dns-domain=cluster.local # svc域名后缀
--image-repository=registry.cn-hangzhou.aliyuncs.com/google_containers # 镜像仓库地址
--ignore-preflight-errors=swap # 如果初始化集群时报swap分区的错误,该配置可以忽略报错
4.6.2 初始化k8s集群
[root@k8s-master1 ~]# kubeadm init --apiserver-advertise-address=10.31.200.100 --apiserver-bind-port=6443 --kubernetes-version=v1.26.3 --pod-network-cidr=10.100.0.0/16 --service-cidr=10.200.0.0/16 --service-dns-domain=cluster.local --image-repository=registry.cn-hangzhou.aliyuncs.com/google_containers --ignore-preflight-errors=swap
…………省略部分输出
Your Kubernetes control-plane has initialized successfully!To start using your cluster, you need to run the following as a regular user:mkdir -p $HOME/.kubesudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/configsudo chown $(id -u):$(id -g) $HOME/.kube/configAlternatively, if you are the root user, you can run:export KUBECONFIG=/etc/kubernetes/admin.confYou should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:https://kubernetes.io/docs/concepts/cluster-administration/addons/Then you can join any number of worker nodes by running the following on each as root:kubeadm join 10.31.200.100:6443 --token 1d0mrm.5wqa777m7xw4eyfr \--discovery-token-ca-cert-hash sha256:717703381134dfadc39a940574012847b6e73c6e6ef6d1288e0f1cc5b0815231[root@k8s-master1 ~]# mkdir -p $HOME/.kube
[root@k8s-master1 ~]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@k8s-master1 ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config
[root@k8s-master1 ~]# ll .kube/config
-rw------- 1 root root 5637 Apr 14 10:32 .kube/config[root@k8s-master1 ~]# kubectl get no
NAME STATUS ROLES AGE VERSION
k8s-master1 NotReady control-plane 18m v1.26.3
[root@k8s-master1 ~]# kubectl get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-567c556887-2xt64 0/1 Pending 0 18m # 之所以挂起是因为coredns只会安装在node节点,并且还需要安装对应的网络插件
kube-system coredns-567c556887-6lstn 0/1 Pending 0 18m
kube-system etcd-k8s-master1 1/1 Running 0 19m
kube-system kube-apiserver-k8s-master1 1/1 Running 0 19m
kube-system kube-controller-manager-k8s-master1 1/1 Running 4 19m
kube-system kube-proxy-2jgqb 1/1 Running 0 18m
kube-system kube-scheduler-k8s-master1 1/1 Running 4 19m
4.7 添加node节点
所有node节点相同操作
~]# kubeadm join 10.31.200.100:6443 --token 1d0mrm.5wqa777m7xw4eyfr \--discovery-token-ca-cert-hash sha256:717703381134dfadc39a940574012847b6e73c6e6ef6d1288e0f1cc5b0815231
[preflight] Running pre-flight checks[WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service'
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
master节点查看节点
[root@k8s-master1 ~]# kubectl get no # 这里节点都是notready是因为还没安装网络插件
NAME STATUS ROLES AGE VERSION
k8s-master1 NotReady control-plane 7m13s v1.26.3
k8s-node1 NotReady <none> 4m24s v1.26.3
k8s-node2 NotReady <none> 9s v1.26.3
4.8 安装网络插件calico
k8s官方文档:https://v1-26.docs.kubernetes.io/zh-cn/docs/concepts/cluster-administration/addons/#networking-and-network-policy
Calico官方文档:https://docs.tigera.io/calico/latest/getting-started/kubernetes/self-managed-onprem/onpremises#install-calico
4.8.1 准备calico的yaml清单
官网下的yaml一共有四千多行,这里就不贴出来了,就说下需要变更的地方
- name: FELIX_WIREGUARDMTU # 搜这个值,也是唯一的
……省略部分内容key: veth_mtu
# 下面的配置默认就有,只是注释了,取消注释就行
- name: CALICO_IPV4POOL_CIDRvalue: "10.100.0.0/16" # 这个和pod网段相同,不然没法建立路由关系
# 下面新增内容
# 自定义子网范围
- name: CALICO_IPV4POOL_BLOCK_SIZEvalue: "24" # 这里默认是给每个节点分配了一个26位的小子网,手动调整为24,免得机器多了不够用。如果手动配置的还是不够,它会自己再划分一个。## 搜索
- name: CLUSTER_TYPE # 搜这个值,这个值唯一value: "k8s,bgp"
# 指定基于eth0网卡IP建立BGP连接。默认为服务器的第一块网卡,https://projectcalico.docs.tigera.io/reference/node/configuration
- name: IP_AUTODETECTION_METHOD # 添加这两行value: "interface=ens192" # 如果宿主机只有一块网卡,这两个配置可以不加,如果有多块网卡,就一定要加,来指定一块具体的网卡。还有一种情况,就是网卡名称不固定,如ens33、ens110这种,每台机都不同,那可以使用通配符的方式,如:value: "interface=ens.*"# 还有一个注意事项,如果宿主机无法上外网,这个yaml中的镜像需要提前下载下来
4.8.2 创建calico
[root@k8s-master1 yaml]# kubectl get po -A|grep -v Running
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-kube-controllers-5857bf8d58-p8f6b 0/1 Pending 0 28s
kube-system calico-node-b9wnj 0/1 Init:0/3 0 28s
kube-system calico-node-sv744 0/1 Init:0/3 0 28s
kube-system calico-node-t96xz 0/1 Init:0/3 0 28s
kube-system coredns-567c556887-2nmwr 0/1 Pending 0 145m
kube-system coredns-567c556887-xds46 0/1 Pending 0 145m[root@k8s-master1 yaml]# kubectl get po -A|grep -v Running
NAMESPACE NAME
[root@k8s-master1 yaml]# kubectl get no # 这里可以看到都Ready了
NAME STATUS ROLES AGE VERSION
k8s-master1 Ready control-plane 162m v1.26.3
k8s-node1 Ready <none> 159m v1.26.3
k8s-node2 Ready <none> 155m v1.26.3
4.9 配置kube-proxy使用ipvs
4.9.1 修改kube-proxy的configmap
[root@k8s-master1 ~]# kubectl get cm -A |grep proxy
kube-system kube-proxy 2 3h28m
[root@k8s-master1 ~]# kubectl edit cm -n kube-system kube-proxy
……省略部分内容ipvs:excludeCIDRs: nullminSyncPeriod: 0sscheduler: ""strictARP: falsesyncPeriod: 0stcpFinTimeout: 0stcpTimeout: 0sudpTimeout: 0skind: KubeProxyConfigurationmetricsBindAddress: ""mode: "ipvs" # 这个默认是空值,加个ipvs退出# 然后这里为了验证之前的所有配置都是重启也能继续生效的,所以重启下所有节点
~]# reboot
4.9.2 检查集群
~]# ipvsadm -Ln # 有下面的输出就行了(这个命令需要安装)
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.200.0.1:443 rr-> 10.31.200.100:6443 Masq 1 4 0
TCP 10.200.0.10:53 rr-> 10.100.113.4:53 Masq 1 0 0 -> 10.100.113.5:53 Masq 1 0 0
TCP 10.200.0.10:9153 rr-> 10.100.113.4:9153 Masq 1 0 0 -> 10.100.113.5:9153 Masq 1 0 0
UDP 10.200.0.10:53 rr-> 10.100.113.4:53 Masq 1 0 0 -> 10.100.113.5:53 Masq 1 0 0
4.10 部署web服务
[root@k8s-master1 yaml]# cat nginx.yaml
apiVersion: v1
kind: Namespace
metadata:name: myserver
---
kind: Deployment
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
metadata:labels:app: myserver-nginx-deployment-labelname: myserver-nginx-deploymentnamespace: myserver
spec:replicas: 1selector:matchLabels:app: myserver-nginx-selectortemplate:metadata:labels:app: myserver-nginx-selectorspec:containers:- name: myserver-nginx-containerimage: nginx#command: ["/apps/tomcat/bin/run_tomcat.sh"]#imagePullPolicy: IfNotPresentimagePullPolicy: Alwaysports:- containerPort: 80protocol: TCPname: http- containerPort: 443protocol: TCPname: httpsenv:- name: "password"value: "123456"- name: "age"value: "18"
# resources:
# limits:
# cpu: 2
# memory: 2Gi
# requests:
# cpu: 500m
# memory: 1Gi---
kind: Service
apiVersion: v1
metadata:labels:app: myserver-nginx-service-labelname: myserver-nginx-servicenamespace: myserver
spec:type: NodePortports:- name: httpport: 80protocol: TCPtargetPort: 80nodePort: 30004- name: httpsport: 443protocol: TCPtargetPort: 443nodePort: 30443selector:app: myserver-nginx-selector[root@k8s-master1 yaml]# kubectl apply -f nginx.yaml
namespace/myserver created
deployment.apps/myserver-nginx-deployment created
service/myserver-nginx-service created[root@k8s-master1 yaml]# cat tomcat.yaml
apiVersion: v1
kind: Namespace
metadata:name: myserver
---
kind: Deployment
#apiVersion: extensions/v1beta1
apiVersion: apps/v1
metadata:labels:app: myserver-tomcat-app1-deployment-labelname: myserver-tomcat-app1-deploymentnamespace: myserver
spec:replicas: 1selector:matchLabels:app: myserver-tomcat-app1-selectortemplate:metadata:labels:app: myserver-tomcat-app1-selectorspec:containers:- name: myserver-tomcat-app1-containerimage: registry.cn-hangzhou.aliyuncs.com/zhangshijie/tomcat-app1:v1#command: ["/apps/tomcat/bin/run_tomcat.sh"]#imagePullPolicy: IfNotPresentimagePullPolicy: Alwaysports:- containerPort: 8080protocol: TCPname: httpenv:- name: "password"value: "123456"- name: "age"value: "18"
# resources:
# limits:
# cpu: 2
# memory: 2Gi
# requests:
# cpu: 500m
# memory: 1Gi---
kind: Service
apiVersion: v1
metadata:labels:app: myserver-tomcat-app1-service-labelname: myserver-tomcat-app1-servicenamespace: myserver
spec:type: NodePortports:- name: httpport: 80protocol: TCPtargetPort: 8080nodePort: 30005selector:app: myserver-tomcat-app1-selector[root@k8s-master1 yaml]# kubectl apply -f tomcat.yaml
namespace/myserver unchanged
deployment.apps/myserver-tomcat-app1-deployment created
service/myserver-tomcat-app1-service created[root@k8s-master1 yaml]# kubectl get po,svc -n myserver
NAME READY STATUS RESTARTS AGE
pod/myserver-nginx-deployment-596d5d9799-dstzh 1/1 Running 0 4m18s
pod/myserver-tomcat-app1-deployment-6bb596979f-v5gn6 1/1 Running 0 3m5sNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/myserver-nginx-service NodePort 10.200.98.47 <none> 80:30004/TCP,443:30443/TCP 4m18s
service/myserver-tomcat-app1-service NodePort 10.200.109.47 <none> 80:30005/TCP 3m6s
访问测试
5. 部署官⽅dashboard
推荐dashboard
kuboard:https://www.kuboard.cn/
5.1 准备yaml
[root@k8s-master1 ~]# cd yaml/
[root@k8s-master1 yaml]# ls
calico-3.25.1.yaml nginx.yaml tomcat.yaml
[root@k8s-master1 yaml]# mkdir dashboard-v2.7.0
[root@k8s-master1 yaml]# cd dashboard-v2.7.0
[root@k8s-master1 dashboard-v2.7.0]# ls
admin-secret.yaml admin-user.yaml dashboard-v2.7.0.yaml[root@k8s-master1 dashboard-v2.7.0]# cat admin-secret.yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:name: dashboard-admin-usernamespace: kubernetes-dashboard annotations:kubernetes.io/service-account.name: "admin-user"[root@k8s-master1 dashboard-v2.7.0]# cat admin-secret.yaml
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:name: dashboard-admin-usernamespace: kubernetes-dashboard annotations:kubernetes.io/service-account.name: "admin-user"
[root@k8s-master1 dashboard-v2.7.0]# cat admin-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:name: admin-usernamespace: kubernetes-dashboard---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: admin-user
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: cluster-admin
subjects:
- kind: ServiceAccountname: admin-usernamespace: kubernetes-dashboard[root@k8s-master1 dashboard-v2.7.0]# cat dashboard-v2.7.0.yaml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.apiVersion: v1
kind: Namespace
metadata:name: kubernetes-dashboard---apiVersion: v1
kind: ServiceAccount
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard---kind: Service
apiVersion: v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
spec:type: NodePortports:- port: 443targetPort: 8443nodePort: 30000selector:k8s-app: kubernetes-dashboard---apiVersion: v1
kind: Secret
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-certsnamespace: kubernetes-dashboard
type: Opaque---apiVersion: v1
kind: Secret
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-csrfnamespace: kubernetes-dashboard
type: Opaque
data:csrf: ""---apiVersion: v1
kind: Secret
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-key-holdernamespace: kubernetes-dashboard
type: Opaque---kind: ConfigMap
apiVersion: v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard-settingsnamespace: kubernetes-dashboard---kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
rules:# Allow Dashboard to get, update and delete Dashboard exclusive secrets.- apiGroups: [""]resources: ["secrets"]resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]verbs: ["get", "update", "delete"]# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.- apiGroups: [""]resources: ["configmaps"]resourceNames: ["kubernetes-dashboard-settings"]verbs: ["get", "update"]# Allow Dashboard to get metrics.- apiGroups: [""]resources: ["services"]resourceNames: ["heapster", "dashboard-metrics-scraper"]verbs: ["proxy"]- apiGroups: [""]resources: ["services/proxy"]resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]verbs: ["get"]---kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboard
rules:# Allow Metrics Scraper to get metrics from the Metrics server- apiGroups: ["metrics.k8s.io"]resources: ["pods", "nodes"]verbs: ["get", "list", "watch"]---apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: kubernetes-dashboard
subjects:- kind: ServiceAccountname: kubernetes-dashboardnamespace: kubernetes-dashboard---apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:name: kubernetes-dashboard
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: kubernetes-dashboard
subjects:- kind: ServiceAccountname: kubernetes-dashboardnamespace: kubernetes-dashboard---kind: Deployment
apiVersion: apps/v1
metadata:labels:k8s-app: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard
spec:replicas: 1revisionHistoryLimit: 10selector:matchLabels:k8s-app: kubernetes-dashboardtemplate:metadata:labels:k8s-app: kubernetes-dashboardspec:securityContext:seccompProfile:type: RuntimeDefaultcontainers:- name: kubernetes-dashboardimage: kubernetesui/dashboard:v2.7.0imagePullPolicy: Alwaysports:- containerPort: 8443protocol: TCPargs:- --auto-generate-certificates- --namespace=kubernetes-dashboard# Uncomment the following line to manually specify Kubernetes API server Host# If not specified, Dashboard will attempt to auto discover the API server and connect# to it. Uncomment only if the default does not work.# - --apiserver-host=http://my-address:portvolumeMounts:- name: kubernetes-dashboard-certsmountPath: /certs# Create on-disk volume to store exec logs- mountPath: /tmpname: tmp-volumelivenessProbe:httpGet:scheme: HTTPSpath: /port: 8443initialDelaySeconds: 30timeoutSeconds: 30securityContext:allowPrivilegeEscalation: falsereadOnlyRootFilesystem: truerunAsUser: 1001runAsGroup: 2001volumes:- name: kubernetes-dashboard-certssecret:secretName: kubernetes-dashboard-certs- name: tmp-volumeemptyDir: {}serviceAccountName: kubernetes-dashboardnodeSelector:"kubernetes.io/os": linux# Comment the following tolerations if Dashboard must not be deployed on mastertolerations:- key: node-role.kubernetes.io/mastereffect: NoSchedule---kind: Service
apiVersion: v1
metadata:labels:k8s-app: dashboard-metrics-scrapername: dashboard-metrics-scrapernamespace: kubernetes-dashboard
spec:ports:- port: 8000targetPort: 8000selector:k8s-app: dashboard-metrics-scraper---kind: Deployment
apiVersion: apps/v1
metadata:labels:k8s-app: dashboard-metrics-scrapername: dashboard-metrics-scrapernamespace: kubernetes-dashboard
spec:replicas: 1revisionHistoryLimit: 10selector:matchLabels:k8s-app: dashboard-metrics-scrapertemplate:metadata:labels:k8s-app: dashboard-metrics-scraperspec:securityContext:seccompProfile:type: RuntimeDefaultcontainers:- name: dashboard-metrics-scraperimage: kubernetesui/metrics-scraper:v1.0.8ports:- containerPort: 8000protocol: TCPlivenessProbe:httpGet:scheme: HTTPpath: /port: 8000initialDelaySeconds: 30timeoutSeconds: 30volumeMounts:- mountPath: /tmpname: tmp-volumesecurityContext:allowPrivilegeEscalation: falsereadOnlyRootFilesystem: truerunAsUser: 1001runAsGroup: 2001serviceAccountName: kubernetes-dashboardnodeSelector:"kubernetes.io/os": linux# Comment the following tolerations if Dashboard must not be deployed on mastertolerations:- key: node-role.kubernetes.io/mastereffect: NoSchedulevolumes:- name: tmp-volumeemptyDir: {}
5.2 部署dashboard并创建账户及授权
[root@k8s-master1 dashboard-v2.7.0]# kubectl create ns kubernetes-dashboard
[root@k8s-master1 dashboard-v2.7.0]# kubectl apply -f admin-user.yaml -f admin-secret.yaml -f dashboard-v2.7.0.yaml[root@k8s-master1 dashboard-v2.7.0]# kubectl get po,svc -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
pod/dashboard-metrics-scraper-7bc864c59-4fvxj 1/1 Running 0 6m7s
pod/kubernetes-dashboard-6c7ccbcf87-zxs8c 1/1 Running 0 6m7sNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/dashboard-metrics-scraper ClusterIP 10.200.234.72 <none> 8000/TCP 6m7s
service/kubernetes-dashboard NodePort 10.200.125.63 <none> 443:30000/TCP 6m8s
5.3 获取登录token
[root@k8s-master1 dashboard-v2.7.0]# kubectl get secret -A |grep admin
kubernetes-dashboard dashboard-admin-user kubernetes.io/service-account-token 3 3m13s[root@k8s-master1 dashboard-v2.7.0]# kubectl describe secret -n kubernetes-dashboard dashboard-admin-user
Name: dashboard-admin-user
Namespace: kubernetes-dashboard
Labels: <none>
Annotations: kubernetes.io/service-account.name: admin-userkubernetes.io/service-account.uid: f81fa465-9691-43ed-ac9c-d3080a93f6c9Type: kubernetes.io/service-account-tokenData
====
ca.crt: 1099 bytes
namespace: 20 bytes
token: # 复制这个
eyJhbGciOiJSUzI1NiIsImtpZCI6IkpRMHdMN1RKTW1MTVp3MmQ1dkxvcGpVal9XWXp6eUFyNWZiU2tldFR2aW8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbi11c2VyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZjgxZmE0NjUtOTY5MS00M2VkLWFjOWMtZDMwODBhOTNmNmM5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmFkbWluLXVzZXIifQ.XUuCUy5_Zx3CRMzuNCaOFnYGsAzWIs07xo_Azn9ywTJk6kBWRsp-pEtZ-7r4FuPeXgfpEiCgBIJ9XkKVIEJ0hUoNL31v-l4vdGs8TKbFY0xE1t2uFGeab3pVS3iKlVTlgaJCerK5xZWkgCXkGZu3yYyq-giWekWy2zbASJPRZU5QlirUBvds6N4tdWYzuEf-GucsBLPd920FDRBjQb6SLvu8cKtWUygAnJZiTvBpM1GH-jMk22D_Ue5RxPlr3oJxuNtRhyQHjJPU8B8-AMoDVnXl_Mv34QnthnmvS3uxxjhJKemeKh_TDLCgRVQlGOfNWVcuSBi9Dw5bxqUFah_TuA
5.4 登录dashboard
K8S介绍并使用kubeadm安装k8s1.26.3-Day 01相关推荐
- K8s介绍及离线安装(四)
K8s介绍及离线安装(四) 离线安装kubernetes 一.资源 百度网盘: 链接: https://pan.baidu.com/s/1mhw5wF5pA1GYPp_aByplOA 提取码: W12 ...
- k8s技术预研3--使用kubeadm安装、配置Kubernetes集群以及进行故障排查的方法
一.软硬件环境 采用CentOS7.4 minimual,docker 1.12,kubeadm 1.7.5,etcd 3.0, k8s 1.7.6 本章节以下配置内容需要在全部节点上都做配置.我们这 ...
- kubeadm安装K8S单master双节点集群
宿主机: master:172.16.40.97 node1:172.16.40.98 node2:172.16.40.99 # 一.k8s初始化环境:(三台宿主机) 关闭防火墙和selinux sy ...
- 深入玩转K8S之使用kubeadm安装Kubernetes v1.10以及常见问题解答
原文链接:http://blog.51cto.com/devingeng/2096495 关于K8S: Kubernetes是Google开源的容器集群管理系统.它构建于docker技术之上,为容器化 ...
- 使用kubeadm安装k8s
1.系统yum源配置 centos下载地址:推荐大家使用centos7.6以上版本. http://mirrors.aliyun.com/centos/7/isos/x86_64/ 查看centos系 ...
- 从0开始安装k8s1.25【最新k8s版本——20220904】
文章目录 从0开始安装k8s1.25 一.准备工作 1.安装Vmware和虚拟机CentOS 2.虚拟机CentOS环境初始化 3.安装容器运行时Containerd 二.安装kubelet kube ...
- centos7下使用kubeadm安装k8s
kubeadm是官方社区推出的一个用于快速部署kubernetes集群的工具.这个工具能通过两条指令完成一个kubernetes集群的部署. 在开始之前,部署Kubernetes集群机器需要满足以下几 ...
- 用Kubeadm安装K8s后,kube-flannel-ds一直CrashLoopBackOff
2019独角兽企业重金招聘Python工程师标准>>> 如果使用Kubeadm安装K8s集群,在安装flannel网络插件后,发现pod: kube-flannel-ds 一直是Cr ...
- (亲测无坑)Centos7.x使用kubeadm安装K8s集群1.15.0版本
基础环境配置 三台Centos7.x的服务器,主节点 cpu >=2,node节点>=1 注:(上述cpu为最低配置,否则集群安装部署会报错,无法启动,对其他硬件无硬性要求) 以下操作若无 ...
最新文章
- 我是怎么提高单片机编程能力的?
- 程序员的日常竟然是这样,真的是又心疼又好笑······
- 区分Debug版还是Relase版
- 国产毫米波雷达领域的领头羊,木牛科技将在明年量产77GHz汽车雷达
- vba把json转数组中_JavaScript 中的“黑话”
- 消息推送服务器令牌,小程序-消息推送配置Token令牌错误校验失败如何解决
- iOS----------APP怎样做更安全
- 李昌镐究竟是不是神?
- secoclient
- 东南部海域有7、8级大风 华北平原大气扩散条件转差
- 美团工作10个月心得
- AutoCAD中添加块和块参照(转载)
- 熬夜淦了近 3W 字的 Docker 教程,从入门到精通(建议收藏)
- 2011年09月04日
- 爬取图片,并按比例划分数据集
- 触摸传递 Touch Delivery
- 详解如何进入、退出docker容器的方法
- Spring懒加载机制原理和配置讲解
- extern 用法简单示例
- 泰森多边形(Voronoi图)生成算法
热门文章
- 软件测试的艺术第六章总结
- SSO流程(一图流)
- oracle数据库查询下级_Oracle数据库递归查询
- 陕西省初级职称评审条件真的很简单
- linux typeof 头文件,C语言typeof详解
- 摄影基础教程第三天(二)
- 张益博计算机学院,张 益
- 图的最短路径--单源、多源最短路径
- 专升本资料怎么找?可以通过哪些渠道找到?
- Module build failed: TypeError: this.getOptions is not a function at Object.loader