文章前言
Kubernetes是一个开源的容器编排平台,它提供了一种简单、高效的方式来管理容器应用程序的部署、扩展和运行。随着容器技术的不断发展和普及,越来越多的企业开始选择Kubernetes作为他们的容器编排平台。本文将介绍如何在自己的本地环境中快速搭建一个简单的Kubernetes集群,并演示如何通过Kubernetes部署应用程序,读者可以通过本文深入了解Kubernetes的相关知识,并掌握在实践中部署和管理Kubernetes集群的技巧。
基本环境
-
K8s_master:192.168.17.144
-
K8S_Node2:192.168.17.145
-
K8S_Node3:192.168.17.146
搭建流程
改主机名
在各个主机中设置主机名并重启主机:
hostnamectl --static set-hostname masterhostnamectl --static set-hostname node1hostnamectl --static set-hostname node2
关防火墙
在各个各主机中执行以下命令关闭防火墙:
systemctl stop firewalld & systemctl disable firewalldsystemctl stop iptables & systemctl disable iptablessed -i 's/enforcing/disabled/' /etc/selinux/configsetenforce 0
静态地址
vi /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"PROXY_METHOD="none"BROWSER_ONLY="no"BOOTPROTO="static"IPADDR="192.168.17.146"NETMASK="255.255.255.0"GATEWAY="192.168.17.2"DNS1="192.168.17.2"DEFROUTE="yes"IPV4_FAILURE_FATAL="no"IPV6INIT="yes"IPV6_AUTOCONF="yes"IPV6_DEFROUTE="yes"IPV6_FAILURE_FATAL="no"IPV6_ADDR_GEN_MODE="stable-privacy"NAME="ens33"UUID="a6086f47-f55c-42d8-9464-81ebc1a587a6"DEVICE="ens33"ONBOOT="yes"
之后重启网卡:
service network restart
修改SSH
修改/etc/ssh/sshd_config:
PasswordAuthentication yes
![K8s实践之Kubernetes部署]( "K8s实践之Kubernetes部署")
网络转发
编辑/etc/sysctl.d/kubernetes.conf文件修改以下内容:
net.bridge.bridge-nf-call-ip6tables = 1net.bridge.bridge-nf-call-iptables = 1net.ipv4.ip_forward = 1
![K8s实践之Kubernetes部署]( "K8s实践之Kubernetes部署")
#重载配置sysctl -p
#加载网桥过滤模块modprobe br_netfilter
#查看网桥过滤模块是否加载成功lsmod | grep br_netfilter
![K8s实践之Kubernetes部署]( "K8s实践之Kubernetes部署")
PasswordAuthentication yes
编辑/etc/sysctl.d/kubernetes.conf文件修改以下内容:
net.bridge.bridge-nf-call-ip6tables = 1net.bridge.bridge-nf-call-iptables = 1net.ipv4.ip_forward = 1
#重载配置sysctl -p#加载网桥过滤模块modprobe br_netfilter#查看网桥过滤模块是否加载成功lsmod | grep br_netfilter
配置IPVS
在各个主机中执行以下命令来配置IPVS
cat <<EOF > /etc/sysconfig/modules/ipvs.modulesmodprobe -- ip_vsmodprobe -- ip_vs_rrmodprobe -- ip_vs_wrrmodprobe -- ip_vs_shmodprobe -- nf_conntrack_ipv4EOFchmod +x /etc/sysconfig/modules/ipvs.modules/bin/bash /etc/sysconfig/modules/ipvs.moduleslsmod | grep -e ip_vs -e nf_conntrack_ipv4
配置HOST
在各个主机中执行以下命令:
cat <<EOF > /etc/hosts192.168.17.144 master192.168.17.145 node1192.168.17.146 node2EOF
配置仓库
在各个主机中配置kubernetes.repo
cat <<EOF > /etc/yum.repos.d/kubernetes.repo[kubernetes]name=Kubernetesbaseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/enabled=1gpgcheck=0repo_gpgcheck=1gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpgEOF
Dockers
访问https://cr.console.aliyun.com/获取镜像加速地址:
配置镜像加速源:
sudo mkdir -p /etc/dockersudo tee /etc/docker/daemon.json <<-'EOF'{"registry-mirrors": ["https://x.x.x.x"]}EOFsudo systemctl daemon-reload
关闭Swap内存交互机制
vi /etc/fstab
安装指定版本的docker:
https://blog.csdn.net/Fly_hps/article/details/122253570
修改docker.service
vi /usr/lib/systemd/system/docker.serviceExecReload=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
![K8s实践之Kubernetes部署]( "K8s实践之Kubernetes部署")
安装组件
yum install --setopt=obsoletes=0 kubeadm-1.17.4-0 kubelet-1.17.4-0 -y
![K8s实践之Kubernetes部署]( "K8s实践之Kubernetes部署")
![K8s实践之Kubernetes部署]( "K8s实践之Kubernetes部署")
配置代理
在各主机修改/etc/sysconfig/kubelet
KUBELET_CGROUP_ARGS="--cgroup-driver=systemd"KUBE_PROXY_MODE="ipvs"
![K8s实践之Kubernetes部署]( "K8s实践之Kubernetes部署")
创建集群
各主机执行:
systemctl enable kubelet.servicesystemctl start kubelet.service
![K8s实践之Kubernetes部署]( "K8s实践之Kubernetes部署")
vi /usr/lib/systemd/system/docker.serviceExecReload=/sbin/iptables -I FORWARD -s 0.0.0.0/0 -j ACCEPT
yum install --setopt=obsoletes=0 kubeadm-1.17.4-0 kubelet-1.17.4-0 -y
KUBELET_CGROUP_ARGS="--cgroup-driver=systemd"KUBE_PROXY_MODE="ipvs"
systemctl enable kubelet.servicesystemctl start kubelet.service
master执行
kubeadm init--apiserver-advertise-address=192.168.17.144--image-repository registry.aliyuncs.com/google_containers--kubernetes-version=v1.17.4--pod-network-cidr=192.244.0.0/16--service-cidr=192.96.0.0/12
#旧的kubeadm join 192.168.17.144:6443 --token 17vum6.bkj95pe9o10ocfnl--discovery-token-ca-cert-hash sha256:af749e1e16b585f26bc94aa71f0af2942dca25710b80389b7b99c76f6ad30657#新的kubeadm join 192.168.17.144:6443 --token jrf3db.9saki4l3rwkzrb13--discovery-token-ca-cert-hash sha256:df9c74fb6a2a02a72cc6c8c1b0d241d563bf32149ebc6dec918029712c674bb2
在master主机执行以下命令:
mkdir -p $HOME/.kubecp -i /etc/kubernetes/admin.conf $HOME/.kube/configchown $(id -u):$(id -g) $HOME/.kube/config
在node主机中执行以下命令:
mkdir -p $HOME/.kubecp -i /home/root/admin.conf $HOME/.kube/configchown $(id -u):$(id -g) $HOME/.kube/config
节点入群
在node节点中执行以下命令加入集群:
kubeadm join 192.168.17.144:6443 --token 17vum6.bkj95pe9o10ocfnl--discovery-token-ca-cert-hash sha256:af749e1e16b585f26bc94aa71f0af2942dca25710b80389b7b99c76f6ad30657
flannel
master主机需要安装flannel,否则节点一直处于noready
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.ymlkubectl apply -f kube-flannel.ymlkubectl get nodes
查看master节点镜像:
docker images
查看所有命令空间和命名空间下的pod:
kubectl get pods -n kube-system
Nginx
在maste主机上执行以下命令:
kubectl create deployment nginx --image=nginx:1.14-alpinekubectl get deploykubectl describe pod nginx-6867cdf567-9tbg9
创建SVC
kubectl expose deploy nginx --port=80 --target-port=80 --type=NodePortservice/nginx exposed
外部访问
master节点ip+svc中的ports端口
kubectl get svc
之后在浏览器中访问:
查看pod的IP地址:
kubectl get pod -o wide
控制面板
Step 1:下载yaml文件
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml
Step 2:修改YAML文件
# Copyright 2017 The Kubernetes Authors.## Licensed under the Apache License, Version 2.0 (the "License");# you may not use this file except in compliance with the License.# You may obtain a copy of the License at## http://www.apache.org/licenses/LICENSE-2.0## Unless required by applicable law or agreed to in writing, software# distributed under the License is distributed on an "AS IS" BASIS,# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.# See the License for the specific language governing permissions and# limitations under the License.apiVersion: v1kind: Namespacemetadata:name: kubernetes-dashboard---apiVersion: v1kind: ServiceAccountmetadata:labels:: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboard---kind: ServiceapiVersion: v1metadata:labels:: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboardspec:type: NodePortports:port: 443nodePort: 30001targetPort: 8443selector:: kubernetes-dashboard---apiVersion: v1kind: Secretmetadata:labels:: kubernetes-dashboardname: kubernetes-dashboard-certsnamespace: kubernetes-dashboardtype: Opaque---apiVersion: v1kind: Secretmetadata:labels:: kubernetes-dashboardname: kubernetes-dashboard-csrfnamespace: kubernetes-dashboardtype: Opaquedata:csrf: ""---apiVersion: v1kind: Secretmetadata:labels:: kubernetes-dashboardname: kubernetes-dashboard-key-holdernamespace: kubernetes-dashboardtype: Opaque---kind: ConfigMapapiVersion: v1metadata:labels:: kubernetes-dashboardname: kubernetes-dashboard-settingsnamespace: kubernetes-dashboard---kind: RoleapiVersion: rbac.authorization.k8s.io/v1metadata:labels:: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboardrules:# Allow Dashboard to get, update and delete Dashboard exclusive secrets.apiGroups: [""]resources: ["secrets"]resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]verbs: ["get", "update", "delete"]# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.apiGroups: [""]resources: ["configmaps"]resourceNames: ["kubernetes-dashboard-settings"]verbs: ["get", "update"]# Allow Dashboard to get metrics.apiGroups: [""]resources: ["services"]resourceNames: ["heapster", "dashboard-metrics-scraper"]verbs: ["proxy"]apiGroups: [""]resources: ["services/proxy"]resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]verbs: ["get"]---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1metadata:labels:: kubernetes-dashboardname: kubernetes-dashboardrules:# Allow Metrics Scraper to get metrics from the Metrics serverapiGroups: ["metrics.k8s.io"]resources: ["pods", "nodes"]verbs: ["get", "list", "watch"]---apiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata:labels:: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboardroleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: kubernetes-dashboardsubjects:kind: ServiceAccountname: kubernetes-dashboardnamespace: kubernetes-dashboard---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata:name: kubernetes-dashboardroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: kubernetes-dashboardsubjects:kind: ServiceAccountname: kubernetes-dashboardnamespace: kubernetes-dashboard---kind: DeploymentapiVersion: apps/v1metadata:labels:: kubernetes-dashboardname: kubernetes-dashboardnamespace: kubernetes-dashboardspec:replicas: 1revisionHistoryLimit: 10selector:matchLabels:: kubernetes-dashboardtemplate:metadata:labels:: kubernetes-dashboardspec:nodeName: mastercontainers:name: kubernetes-dashboardimage: kubernetesui/dashboard:v2.0.0-beta8imagePullPolicy: Alwaysports:containerPort: 8443protocol: TCPargs:--auto-generate-certificates--namespace=kubernetes-dashboard# Uncomment the following line to manually specify Kubernetes API server Host# If not specified, Dashboard will attempt to auto discover the API server and connect# to it. Uncomment only if the default does not work.# - --apiserver-host=http://my-address:portvolumeMounts:name: kubernetes-dashboard-certsmountPath: /certs# Create on-disk volume to store exec logsmountPath: /tmpname: tmp-volumelivenessProbe:httpGet:scheme: HTTPSpath: /port: 8443initialDelaySeconds: 30timeoutSeconds: 30securityContext:allowPrivilegeEscalation: falsereadOnlyRootFilesystem: truerunAsUser: 1001runAsGroup: 2001volumes:name: kubernetes-dashboard-certssecret:secretName: kubernetes-dashboard-certsname: tmp-volumeemptyDir: {}serviceAccountName: kubernetes-dashboardnodeSelector:: linux# Comment the following tolerations if Dashboard must not be deployed on mastertolerations:key: node-role.kubernetes.io/mastereffect: NoSchedule---kind: ServiceapiVersion: v1metadata:labels:: dashboard-metrics-scrapername: dashboard-metrics-scrapernamespace: kubernetes-dashboardspec:ports:port: 8000targetPort: 8000selector:: dashboard-metrics-scraper---kind: DeploymentapiVersion: apps/v1metadata:labels:: dashboard-metrics-scrapername: dashboard-metrics-scrapernamespace: kubernetes-dashboardspec:replicas: 1revisionHistoryLimit: 10selector:matchLabels:: dashboard-metrics-scrapertemplate:metadata:labels:: dashboard-metrics-scraperannotations:: 'runtime/default'spec:containers:name: dashboard-metrics-scraperimage: kubernetesui/metrics-scraper:v1.0.1ports:containerPort: 8000protocol: TCPlivenessProbe:httpGet:scheme: HTTPpath: /port: 8000initialDelaySeconds: 30timeoutSeconds: 30volumeMounts:mountPath: /tmpname: tmp-volumesecurityContext:allowPrivilegeEscalation: falsereadOnlyRootFilesystem: truerunAsUser: 1001runAsGroup: 2001serviceAccountName: kubernetes-dashboardnodeSelector:: linux# Comment the following tolerations if Dashboard must not be deployed on mastertolerations:key: node-role.kubernetes.io/mastereffect: NoSchedulevolumes:name: tmp-volumeemptyDir: {}
Step 3:下载镜像
docker pull kubernetesui/dashboard:v2.0.0-beta8
Step 4:进行部署操作
#部署操作kubectl apply -f recommended.yaml#删除操作kubectl delete -f recommended.yaml
Step 5:查看pod和service状态
kubectl get pods,svc -n kubernetes-dashboard -o wide
Step 6:查看所有的pod
kubectl get pods --all-namespaces -o wide
Step 7:在浏览器中访问,选择用默认用户kubernetes-dashboard的token登陆
Step 8:查看serviceaccount和secrets
kubectl get sa,secrets -n kubernetes-dashboard
Step 9:查看token
kubectl describe secrets kubernetes-dashboard-token-8kxnh -n kubernetes-dashboard
Step 10:使用默认用户的token登录
之后发现权限略有不足:
Step 11:新建管理员
a、创建serviceaccount
kubectl create serviceaccount admin-myuser -n kubernetes-dashboardb、绑定集群管理员
kubectl create clusterrolebinding dashboard-cluster-admin --clusterrole=cluster-admin --serviceaccount=kubernetes-dashboard:admin-myuserkubectl get sa,secrets -n kubernetes-dashboard
c、查看token
kubectl describe secret admin-myuser-token-jcj9d -n kubernetes-dashboard
Step 12:登录dashboard
文末小结
本文介绍了如何在本地环境中快速搭建一个简单的Kubernetes集群,在这个过程中,我们涉及到了Kubernetes的一些重要概念和组件,例如Pod、Deployment、Service等,后续将会逐一介绍~
原文始发于微信公众号(七芒星实验室):K8s实践之Kubernetes部署
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论