" name="sm-site-verification"/>
侧边栏壁纸
博主头像
PySuper博主等级

千里之行,始于足下

  • 累计撰写 203 篇文章
  • 累计创建 14 个标签
  • 累计收到 1 条评论

目 录CONTENT

文章目录

Kubernetes | 生产环境下的 K8S 高可用架构

PySuper
2021-10-15 / 0 评论 / 0 点赞 / 19 阅读 / 28771 字
温馨提示:
所有牛逼的人都有一段苦逼的岁月。 但是你只要像SB一样去坚持,终将牛逼!!! ✊✊✊

1、kubeadm工具功能

  • kubeadm init:初始化一个Master节点
  • kubeadm join:将工作节点加入集群
  • kubeadm upgrade:升级K8s版本
  • kubeadm token:管理 kubeadm join 使用的令牌
  • kubeadm reset:清空 kubeadm init 或者 kubeadm join 对主机所做的任何更改
  • kubeadm version:打印 kubeadm 版本
  • kubeadm alpha:预览可用的新功能

2、环境规划

k8s-ns-1.png

3、初始化配置

# 关闭防火墙
systemctl stop firewalld
systemctl disable firewalld

# 关闭selinux
sed -i 's/enforcing/disabled/' /etc/selinux/config  # 永久
setenforce 0  # 临时

# 关闭swap
swapoff -a  # 临时
sed -ri 's/.*swap.*/#&/' /etc/fstab    # 永久

# 根据规划设置主机名
hostnamectl set-hostname <hostname>

# 在master添加hosts
cat >> /etc/hosts << EOF
192.168.189.151 etcd-1
192.168.189.152 etcd-2
192.168.189.153 etcd-3
192.168.189.161 lb-1
192.168.189.162 lb-2
192.168.189.163 lb-3
192.168.189.171 master-1
192.168.189.172 master-2
192.168.189.173 master-3
192.168.189.181 worker-1
192.168.189.182 worker-2
192.168.189.183 worker-3
192.168.189.184 worker-4
192.168.189.185 worker-5
192.168.189.186 worker-6
192.168.189.187 worker-7
192.168.189.188 worker-8
192.168.189.189 worker-9
192.168.189.190 worker-10
EOF

# 将桥接的IPv4流量传递到iptables的链
cat > /etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system  # 生效

# 时间同步
yum install ntpdate -y
ntpdate time.windows.com

4、负载均衡器

Nginx + Keepalived

k8s-ns-1.png
  • 开源
    • Ningx:主流Web服务和反向代理服务器,这里用四层实现对apiserver实现负载均衡!
    • LVS
    • HAProxy
  • 公有云
    • SLB
    • 阿里云
    • 腾讯云
    • 华为云

4.1、安装软件包(主/备)

yum install -y epel-release
yum install -y nginx
yum install -y keepalived
yum install -y nginx-mod-stream

4.2、Nginx配置文件

cat > /etc/nginx/nginx.conf << "EOF"
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

# 四层负载均衡,为两台Master apiserver组件提供负载均衡
stream {

    log_format  main  '$remote_addr $upstream_addr - [$time_local] $status $upstream_bytes_sent';

    access_log  /var/log/nginx/k8s-access.log  main;

    upstream k8s-apiserver {
       server 192.168.189.21:6443;   # Master1 APISERVER IP:PORT
       server 192.168.189.22:6443;   # Master2 APISERVER IP:PORT
    }
    
    server {
       listen 16443;  # 由于nginx与master节点复用,这个监听端口不能是6443,否则会冲突
       proxy_pass k8s-apiserver;
    }
}

# http为七层
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # server {
    #     listen       80 default_server;
    #     server_name  _;
    # 
    #     location / {
    #     }
    # }
}
EOF

4.3、NginxMaster

cat > /etc/keepalived/keepalived.conf << EOF
global_defs { 
   notification_email { 
     acassen@firewall.loc 
     failover@firewall.loc 
     sysadmin@firewall.loc 
   } 
   notification_email_from Alexandre.Cassen@firewall.loc  
   smtp_server 127.0.0.1 
   smtp_connect_timeout 30 
   router_id NGINX_MASTER
} 

# 通过执行一个脚本判断VIP是否需要进行故障转移
vrrp_script check_nginx {
    script "/etc/keepalived/check_nginx.sh"	# 判断返回状态码
}

# 热备组配置
vrrp_instance VI_1 { 
    state MASTER 
    interface ens33  # 修改为实际网卡名
    virtual_router_id 51 # VRRP 路由 ID实例,每个实例是唯一的 
    priority 100    # 优先级,备服务器设置 90 
    advert_int 1    # 指定VRRP 心跳包通告间隔时间,默认1秒 
    authentication { 
        auth_type PASS      
        auth_pass 1111 
    }
    
    # 飘移这个虚拟IP
    virtual_ipaddress { 
        192.168.189.88/24
    } 
    track_script {
        check_nginx
    } 
}
EOF
  • vrrp_script:指定检查nginx工作状态脚本(根据nginx状态判断是否故障转移)
  • virtual_ipaddress:虚拟IP(VIP)
  • 准备上述配置文件中检查nginx运行状态的脚本:
cat > /etc/keepalived/check_nginx.sh  << "EOF"
#!/bin/bash
count=$(ss -antp | grep 16443 | egrep -cv "grep|$$")

if [ "$count" -eq 0 ];then
    exit 1
else
    exit 0
fi
EOF

chmod +x /etc/keepalived/check_nginx.sh

4.4、NginxBackup

cat > /etc/keepalived/keepalived.conf << EOF
global_defs { 
   notification_email { 
     acassen@firewall.loc 
     failover@firewall.loc 
     sysadmin@firewall.loc 
   } 
   notification_email_from Alexandre.Cassen@firewall.loc  
   smtp_server 127.0.0.1 
   smtp_connect_timeout 30 
   router_id NGINX_BACKUP
} 

vrrp_script check_nginx {
    script "/etc/keepalived/check_nginx.sh"
}

vrrp_instance VI_1 { 
    state BACKUP	# 差异
    interface ens33
    virtual_router_id 51 # VRRP 路由 ID实例,每个实例是唯一的 
    priority 90	# 差异
    advert_int 1
    authentication { 
        auth_type PASS      
        auth_pass 1111 
    }
    
    # 飘移这个虚拟IP
    virtual_ipaddress { 
        192.168.189.88/24
    } 
    track_script {
        check_nginx
    } 
}
EOF
  • 准备上述配置文件中检查nginx运行状态的脚本:
cat > /etc/keepalived/check_nginx.sh  << "EOF"
#!/bin/bash
count=$(ss -antp |grep 16443 |egrep -cv "grep|$$")

if [ "$count" -eq 0 ];then
    exit 1
else
    exit 0
fi
EOF

chmod +x /etc/keepalived/check_nginx.sh
  • keepalived根据脚本返回状态码(0为工作正常,非0不正常)判断是否故障转移

4.5、设置开机启动

systemctl daemon-reload
systemctl start nginx
systemctl start keepalived
systemctl enable nginx
systemctl enable keepalived

4.6、查看工作状态

[root@master-1 ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:95:aa:29 brd ff:ff:ff:ff:ff:ff
    inet 192.168.189.21/24 brd 192.168.189.255 scope global noprefixroute ens33
       valid_lft forever preferred_lft forever
    inet 192.168.189.88/24 scope global secondary ens33	# 漂移的虚拟IP
       valid_lft forever preferred_lft forever
    inet6 fe80::658d:4cf7:4b83:47d8/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
  • 可以看到,在ens33网卡绑定了192.168.31.88 虚拟IP,说明工作正常。

4.7 Nginx+Keepalived高可用测试

  • 关闭主节点Nginx,测试VIP是否漂移到备节点服务器
  • 在Nginx Master执行 pkill nginx
  • 在Nginx Backup,ip addr命令查看已成功绑定VIP
k8s-ns-1.png

5、Etcd 集群

为了节省机器,这里与K8s节点机器复用

也可以独立于k8s集群之外部署,只要apiserver能连接到就行

  • Etcd 是一个分布式键值存储系统,Kubernetes使用Etcd进行数据存储
  • kubeadm搭建默认情况下只启动一个Etcd Pod,存在单点故障,生产环境强烈不建议
  • 所以我们这里使用3台服务器组建集群,可容忍1台机器故障
  • 当然,你也可以使用5台组建集群,可容忍2台机器故障
节点名称 IP
etcd-1 192.168.189.21
etcd-2 192.168.189.22
etcd-3 192.168.189.26

5.1 准备cfssl工具

cfssl是一个开源的证书管理工具,使用json文件生成证书,相比openssl更方便使用。

找任意一台服务器操作,这里用Master节点。

yum install -y wget
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64

chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64

mv cfssl_linux-amd64 /usr/local/bin/cfssl
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo

5.2 生成Etcd证书

1、自签证书颁发机构(CA)

# 创建工作目录
mkdir -p ~/etcd_tls && cd ~/etcd_tls

# 自签CA
cat > ca-config.json << EOF
{
    "signing":{
        "default":{
            "expiry":"87600h"
        },
        "profiles":{
            "www":{
                "expiry":"87600h",
                "usages":[
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}
EOF

cat > ca-csr.json << EOF
{
    "CN":"etcd CA",
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"Beijing",
            "ST":"Beijing"
        }
    ]
}
EOF

# 生成证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -

# 会生成ca.pem和ca-key.pem文件

2、自签Etcd HTTPS证书

# 创建证书申请文件

cat > server-csr.json << EOF
{
    "CN":"etcd",
    "hosts":[
        "192.168.189.151",
        "192.168.189.152",
        "192.168.189.153"
    ],
    "key":{
        "algo":"rsa",
        "size":2048
    },
    "names":[
        {
            "C":"CN",
            "L":"BeiJing",
            "ST":"BeiJing"
        }
    ]
}
EOF

# 上述文件hosts字段中IP为所有etcd节点的集群内部通信IP,一个都不能少!
# 为了方便后期扩容可以多写几个预留的IP!!!!

# 生成证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server

# 会生成server.pem和server-key.pem文件。

3、从Github下载二进制文件

下载地址:https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz

4、部署Etcd集群

以下在节点1上操作,为简化操作,待会将节点1生成的所有文件拷贝到节点2和节点3。

4.1、创建工作目录并解压
mkdir /opt/etcd/{bin,cfg,ssl} -p
tar zxf etcd-v3.4.9-linux-amd64.tar.gz
mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/
4.2、创建etcd配置文件
cat > /opt/etcd/cfg/etcd.conf << EOF
#[Member]
ETCD_NAME="etcd-1"
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.189.21:2380"
ETCD_LISTEN_CLIENT_URLS="https://192.168.189.21:2379"

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.189.21:2380"
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.189.21:2379"
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.189.21:2380,etcd-2=https://192.168.189.22:2380,etcd-3=https://192.168.189.26:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"
EOF
  • ETCD_NAME:节点名称,集群中唯一
  • ETCD_DATA_DIR:数据目录
  • ETCD_LISTEN_PEER_URLS:集群通信监听地址
  • ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
  • ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
  • ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
  • ETCD_INITIAL_CLUSTER:集群节点地址
  • ETCD_INITIAL_CLUSTER_TOKEN:集群Token
  • ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群
4.3、systemd管理etcd
cat > /usr/lib/systemd/system/etcd.service << EOF
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
EnvironmentFile=/opt/etcd/cfg/etcd.conf
ExecStart=/opt/etcd/bin/etcd \
--cert-file=/opt/etcd/ssl/server.pem \
--key-file=/opt/etcd/ssl/server-key.pem \
--trusted-ca-file=/opt/etcd/ssl/ca.pem \
--peer-cert-file=/opt/etcd/ssl/server.pem \
--peer-key-file=/opt/etcd/ssl/server-key.pem \
--peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
--logger=zap
Restart=on-failure
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF
4.4、拷贝刚才生成的证书
# 把刚才生成的证书拷贝到配置文件中的路径

cp ~/etcd_tls/ca*pem ~/etcd_tls/server*pem /opt/etcd/ssl/
4.5、启动并设置开机启动
systemctl daemon-reload && systemctl start etcd && systemctl enable etcd

# 这里启动失败之后,先把其他节点的etcd也启动就好了,
4.6、拷贝文件

将上面节点1所有生成的文件拷贝到节点2和节点3

scp -r /opt/etcd/ root@192.168.189.22:/opt/
scp /usr/lib/systemd/system/etcd.service root@192.168.189.22:/usr/lib/systemd/system/

scp -r /opt/etcd/ root@192.168.189.26:/opt/
scp /usr/lib/systemd/system/etcd.service root@192.168.189.26:/usr/lib/systemd/system/

然后在节点2和节点3分别修改etcd.conf配置文件中的节点名称和当前服务器IP

vi /opt/etcd/cfg/etcd.conf
#[Member]
ETCD_NAME="etcd-1"   # 修改此处,节点2改为etcd-2,节点3改为etcd-3
ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
ETCD_LISTEN_PEER_URLS="https://192.168.31.71:2380"   # 修改此处为当前服务器IP
ETCD_LISTEN_CLIENT_URLS="https://192.168.31.71:2379" # 修改此处为当前服务器IP

#[Clustering]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.31.71:2380" # 修改此处为当前服务器IP
ETCD_ADVERTISE_CLIENT_URLS="https://192.168.31.71:2379" # 修改此处为当前服务器IP
ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.31.71:2380,etcd-2=https://192.168.31.72:2380,etcd-3=https://192.168.31.73:2380"
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
ETCD_INITIAL_CLUSTER_STATE="new"

最后启动etcd并设置开机启动,同上

4.7、查看集群状态
ETCDCTL_API=3 /opt/etcd/bin/etcdctl \
  --cacert=/opt/etcd/ssl/ca.pem \
  --cert=/opt/etcd/ssl/server.pem \
  --key=/opt/etcd/ssl/server-key.pem \
  --endpoints="https://192.168.189.151:2379,https://192.168.189.152:2379,https://192.168.189.153:2379" \
  endpoint health --write-out=table

# 输出
+-----------------------------+--------+------------+-------+
|          ENDPOINT           | HEALTH |    TOOK    | ERROR |
+-----------------------------+--------+------------+-------+
| https://192.168.189.26:2379 |   true | 8.155322ms |       |
| https://192.168.189.21:2379 |   true | 5.967062ms |       |
| https://192.168.189.22:2379 |   true | 8.045501ms |       |
+-----------------------------+--------+------------+-------+
  • 如果输出上面信息,就说明集群部署成功
  • 如果有问题第一步先看日志:/var/log/message 或 journalctl -u etcd

6、K8s 集群

6.1 安装软件包 [all]

这里使用Docker作为容器引擎,也可以换成别的,例如containerd

1、安装Docker

yum install -y wget
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo
yum -y install docker-ce
systemctl enable docker && systemctl start docker

# 配置镜像下载加速器
cat > /etc/docker/daemon.json << EOF
{
	"registry-mirrors": ["https://giuzc4qh.mirror.aliyuncs.com"]
}
EOF

systemctl restart docker && docker info

2、添加阿里云yum源

cat > /etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

3、安装K8s软件

由于版本更新频繁,这里指定版本号部署

# 1.20
yum install -y kubelet-1.20.0 kubeadm-1.20.0 kubectl-1.20.0 && systemctl enable kubelet

# 1.21
yum install -y kubelet-1.21.0 kubeadm-1.21.0 kubectl-1.21.0 && systemctl enable kubelet

6.2 配置Master

1、初始化master-1

docker pull registry.aliyuncs.com/google_containers/coredns:1.8.4

cat > kubeadm-config.yaml << EOF
apiVersion: kubeadm.k8s.io/v1beta2
bootstrapTokens:
- groups:
  - system:bootstrappers:kubeadm:default-node-token
  token: 9037x2.tcaqnpaqkra9vsbw
  ttl: 24h0m0s
  usages:
  - signing
  - authentication
kind: InitConfiguration
localAPIEndpoint:
  advertiseAddress: 192.168.189.21
  bindPort: 6443
nodeRegistration:
  criSocket: /var/run/dockershim.sock
  name: master-1
  taints:
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
    
---
apiServer:
  certSANs:  # 包含所有Master/LB/VIP IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP。
  - master-1
  - master-2
  - 192.168.189.21
  - 192.168.189.22
  - 192.168.189.88
  - 127.0.0.1
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: 192.168.189.88:16443 # 负载均衡虚拟IP(VIP)和端口
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  external:  # 使用外部etcd
    endpoints:
    - https://192.168.189.21:2379 # etcd集群3个节点
    - https://192.168.189.22:2379
    - https://192.168.189.26:2379
    caFile: /opt/etcd/ssl/ca.pem # 连接etcd所需证书
    certFile: /opt/etcd/ssl/server.pem
    keyFile: /opt/etcd/ssl/server-key.pem
imageRepository: registry.aliyuncs.com/google_containers # 由于默认拉取镜像地址k8s.gcr.io国内无法访问,这里指定阿里云镜像仓库地址
kind: ClusterConfiguration
kubernetesVersion: v1.20.0 # K8s版本,与上面安装的一致
networking:
  dnsDomain: cluster.local
  podSubnet: 10.244.0.0/16  # Pod网络,与下面部署的CNI网络组件yaml中保持一致
  serviceSubnet: 10.96.0.0/12  # 集群内部虚拟网络,Pod统一访问入口
scheduler: {}
EOF

或者使用配置文件引导

kubeadm init --config kubeadm-config.yaml

# 如果这里有报错,可以使用--ignore-preflight-errors=all 先忽略错误

# 输出的一部分
Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

Alternatively, if you are the root user, you can run:

  export KUBECONFIG=/etc/kubernetes/admin.conf

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of control-plane nodes by copying certificate authorities
and service account keys on each node and then running the following as root:

  kubeadm join 192.168.189.88:16443 --token 9037x2.tcaqnpaqkra9vsbw \
    --discovery-token-ca-cert-hash sha256:caf44e707a1564957a06eac10ce93d615c7bb71e09fc3e91c028e8ac4ceb464e \
    --control-plane 

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 192.168.189.88:16443 --token 9037x2.tcaqnpaqkra9vsbw \
    --discovery-token-ca-cert-hash sha256:caf44e707a1564957a06eac10ce93d615c7bb71e09fc3e91c028e8ac4ceb464e

初始化完成后,会有两个join的命令

  • 带有 --control-plane 是用于加入组建多master集群的
  • 不带的是加入节点的
  • kubeadm token create --print-join-command --ttl 0
# 拷贝kubectl使用的连接k8s认证文件到默认路径:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

# 测试
kubectl get node
NAME          STATUS     ROLES                  AGE     VERSION
k8s-master1   NotReady   control-plane,master   4m57s   v1.20.0

2、初始化master-2

# 将Master1节点生成的证书拷贝到Master2
scp -r /etc/kubernetes/pki/ 192.168.189.22:/etc/kubernetes/
 
# 复制加入master join命令在master2执行
kubeadm join 192.168.189.88:16443
--token 9037x2.tcaqnpaqkra9vsbw \
--discovery-token-ca-cert-hash sha256:caf44e707a1564957a06eac10ce93d615c7bb71e09fc3e91c028e8ac4ceb464e \
--control-plane 

# 拷贝kubectl使用的连接k8s认证文件到默认路径
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

# 测试
kubectl get node
NAME          STATUS     ROLES                  AGE     VERSION
k8s-master1   NotReady   control-plane,master   28m     v1.20.0
k8s-master2   NotReady   control-plane,master   2m12s   v1.20.0

# 由于网络插件还没有部署,还没有准备就绪 NotReady

3、测试负载均衡器

找K8s集群中任意一个节点,使用curl查看K8s版本测试,使用VIP访问

curl -k https://192.168.189.88:16443/version

{
  "major": "1",
  "minor": "20",
  "gitVersion": "v1.20.0",
  "gitCommit": "af46c47ce925f4c4ad5cc8d1fca46c7b77d13b38",
  "gitTreeState": "clean",
  "buildDate": "2020-12-08T17:51:19Z",
  "goVersion": "go1.15.5",
  "compiler": "gc",
  "platform": "linux/amd64"
}
  • 可以正确获取到K8s版本信息,说明负载均衡器搭建正常
  • 该请求数据流程:curl -> vip(nginx) -> apiserver
  • 通过查看Nginx日志也可以看到转发apiserver IP:
tail /var/log/nginx/k8s-access.log -f
192.168.189.21 192.168.189.21:6443 - [28/Sep/2021:03:36:11 -0400] 200 287
192.168.189.21 192.168.189.21:6443 - [28/Sep/2021:03:36:18 -0400] 200 287
192.168.189.21 192.168.189.22:6443 - [28/Sep/2021:03:36:21 -0400] 200 287
192.168.189.21 192.168.189.21:6443 - [28/Sep/2021:03:36:27 -0400] 200 287
192.168.189.21 192.168.189.22:6443 - [28/Sep/2021:03:36:28 -0400] 200 428

6.3 配置Node

只在192.168.189.26-Node节点执行

# 向集群添加新节点,执行在kubeadm init输出的kubeadm join命令
kubeadm join 192.168.189.88:16443 \
--token 9037x2.tcaqnpaqkra9vsbw \
--discovery-token-ca-cert-hash sha256:ecc0d2d6fb8a02f977a8ebbb9aaf7a895c8c8c88160213135c338df14e29dcd9

# 后续其他节点也是这样加入
  • 默认token有效期为24小时,当过期之后,该token就不可用了
  • 这时就需要重新创建token,可以直接使用命令快捷生成:kubeadm token create --print-join-command

6.4 清理

如果你在集群中使用了一次性服务器进行测试,则可以关闭这些服务器,而无需进一步清理

你可以使用 kubectl config delete-cluster 删除对集群的本地引用

# 先将节点设置为维护模式 (k8s-node1 是节点名称)
kubectl drain k8s-node1 --delete-local-data --force --ignore-daemonsets

# 在删除节点之前,请重置 kubeadm 安装的状态:
kubeadm reset

rm -R /etc/kubernetes/ -rf
rm -rf /var/lib/cni/
rm -rf /var/lib/kubelet/*
rm -rf /etc/cni/
rm -rf $HOME/.kube/config
rm -rf /var/lib/kubelet /var/lib/dockershim /var/run/kubernetes /var/lib/cni

# 重置过程不会重置或清除 iptables 规则或 IPVS 表。如果你希望重置 iptables,则必须手动进行:
iptables -F && iptables -t nat -F && iptables -t mangle -F && iptables -X

# 如果要重置 IPVS 表,则必须运行以下命令:
ipvsadm -C

# 现在删除节点
kubectl delete node k8s-node1

7、部署 Calico

Calico是一个纯三层的数据中心网络方案,是目前Kubernetes主流的网络方案

#  直接使用文件部署
kubectl apply -f calico.yaml
kubectl get pods -n kube-system

# 等Calico Pod都Running,节点也会准备就绪

8、部署 Dashboard

8.1、Dashboard

# 下载yaml
wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml

# 默认Dashboard只能集群内部访问,修改Service为NodePort类型,暴露到外部:
vi recommended.yaml

################################################################################################
...
kind: Service
apiVersion: v1
metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  ports:
    - port: 443
      targetPort: 8443
      nodePort: 30001	# change
  selector:
    k8s-app: kubernetes-dashboard
  type: NodePort	# change
...
################################################################################################

# 创建
kubectl apply -f recommended.yaml
kubectl get pods -n kubernetes-dashboard

################################################################################################

# 创建service account并绑定默认cluster-admin管理员集群角色:

# 创建用户
kubectl create serviceaccount dashboard-admin -n kube-system


# 用户授权
kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin


# 获取用户Token
kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
# 异常处理:273 行
seccomp.security.alpha.kubernetes.io/pod 在1.19中被摒弃,使用 seccompProfile

# 修改
# seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
seccompProfile: 'runtime/default'

访问地址:https://NodeIP:30001

这里使用https

8.2、Kuboard 2

# 安装 稳定版
kubectl apply -f https://kuboard.cn/install-script/kuboard.yaml

# 安装bate版
kubectl apply -f https://kuboard.cn/install-script/kuboard-beta.yaml

# 查看
kubectl get pods -l k8s.kuboard.cn/name=kuboard -n kube-system

# Token
echo $(kubectl -n kube-system get secret $(kubectl -n kube-system get secret | grep kuboard-user | awk '{print $1}') -o go-template='{{.data.token}}' | base64 -d)

# 查看http://任意一个Worker节点的IP地址:32567/

8.3、Kuboard 3

# 先找个master节点打上标签
kubectl delete daemonset kuboard-etcd -n kuboard

# 安装
kubectl apply -f https://addons.kuboard.cn/kuboard/kuboard-v3.yaml

# 查看
kubectl get pods -n kuboard

# 添加集群,使用/root/.kube/c

# 访问http://your-node-ip-address:30080
用户名: admin
密码: Kuboard123

0

评论区