一、环境准备
使用Hyper-V虚拟机功能搭建三台Centos虚拟机系统,配置好静态IP,分别为k8s-node1(192.168.0.8),k8s-node2(192.168.0.9),k8s-node3(192.168.0.10)。系统安装成功后配置root远程登录功能,以便使用ssh客户端工具链接。
初始化系统设置:
◉配置虚拟机的MAC地址,确保MAC地址和 product_uuid 对于每个节点都是唯一的。可以通过如下命令来查看他们是否唯一:
ip link
cat /sys/class/dmi/id/product_uuid
◉分配固定IP :在虚拟机中配置静态IP,首先找到需要配置静态IP的网卡配置文件,我的是eth1,因此修改/etc/sysconfig/network-scripts/ifcfg-eth1文件,设置如下箭头指示的内容:
◉更新yum源:运行命令” yum update “更新yum源。
◉开启SSH远程登录:运行命令” yum install openssh-server “安装ssh服务端工具,安装完成后运行命令” systemctl enable sshd.service “设置开启自启动, 运行命令” vim /etc/ssh/sshd_config “编辑配置文件,设置如下:
◉修改IPV6为IPV4:centos默认使用ipv6的方式,我们需要修改为ipv4模式来实现ssh客户端的远程连接,具体方法是 cd到 /etc/sysconfig/network-scripts目录下,vim 编辑 ifcfg-eth1 文件,如图,设置IPV6INIT=no,ONBOOT=yes。
◉设置防火墙规则:设置防火墙规则的目的是为了确保集群中的机器能够相互通信,本次集群直接使用命令” systemctl disable firewalld “关闭防火墙。在正式环境中,防火墙不可能禁用,因此需要开放如下端口:
开放指定端口的命令格式为:
firewall-cmd --zone=public --add-port=6443/tcp --permanent
◉同步系统时间:K8s要求集群中的节点时间必须精确一致,所以在每个节点上同步时间:
yum install ntpdate -y
ntpdate time.windows.com
◉设置让iptables 看到桥接的流量,确保 net.bridge.bridge-nf-call-iptables
在您的配置中设置为 1,运行如下代码:
cat <k8s.conf
br_netfilter
EOF
cat <k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sudo sysctl --system
◉配置主机域名映射,修改/etc/hosts文件(一般在集群中的每个节点都做该处理),运行如下命令:
cat >> /etc/hosts << EOF
192.168.0.8 k8s-node1
192.168.0.9 k8s-node2
192.168.0.10 k8s-node3
EOF
◉关闭Linux系统的交换分区:为了保证kubelet的正常运行,必须禁用swap交换分区。window平台上称为虚拟内存。在物理内存不够用时,操作系统会从物理内存中把部分暂时不被使用的数据转移到交换分区,从而为当前运行的程序留出足够的物理内存。运行命令” free -m “结果证明已经开启了交换分区,修改/etc/fstab文件,注释掉加载swap分区的这行记录,重启Linux系统即可。
二、安装K8S容器运行时
为了实现k8s与容器运行时的解耦,k8sV1.5以后推出了容器运行时接口CRI的概念,只要实现了该接口的任何容器运行时都可以与k8s结合使用完成集群部署,容器运行时负责启动、停止和运行容器。v1.24 之前的 Kubernetes 版本集成了docker engine,使用名为dockershim的容器运行时组件,在V1.24版本后就不在集成,因此,此版本后的集群搭建,需要手动安装容器运行时,常见的容器运行时有containerd、cri-o、docker engine、Mirantis Container Runtime。安装过程如下:
◉ 使用containerd作为运行时(官方推荐):
1、安装和配置先决条件,依次运行如下命令:
cat <
2、安装containerd容器及相关组件,依次运行如下命令:
#安装需要的软件包, yum-util 提供yum-config-manager功能
yum install -y yum-utils
#设置yum源
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
#安装containerd
yum install containerd -y
#复制替换默认config.toml内容
containerd config default > /etc/containerd/config.toml
#重启、开机启动containerd
systemctl start containerd
systemctl daemon-reloadsystemctl enable containerd
3、编辑 /etc/containerd/config.toml,修改 containerd 默认的sandbox_image ,修改sandbox_image的值为如下:
sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.7"
◉配置 cgroup 驱动程序(可选):容器运行时和 kubelet 都有一个名为”cgroupDriver”的属性,需要保证它们的属性值一致,否则kubelet进程无法正常运行。容器运行时的cgroupDriver属性根据不同的组件配置方式有所不同,而kubelet的cgroupDriver属性可以通过kubeadm指定,其方式如下(如果没有使用配置文件方式指定,则默认值为systemd):
kubeadm-config.yaml文件的内容
kind: ClusterConfiguration
apiVersion: kubeadm.k8s.io/v1beta3
kubernetesVersion: v1.21.0
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
nodeName: k8s-node3
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.5.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
#tolerations:
#- key: node-role.kubernetes.io/master
# effect: NoSchedule
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
nodeName: k8s-node3
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.7
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8000
protocol: TCP
livenessProbe:
httpGet:
scheme: HTTP
path: /
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
nodeSelector:
"kubernetes.io/os": linux
# Comment the following tolerations if Dashboard must not be deployed on master
#tolerations:
# - key: node-role.kubernetes.io/master
# effect: NoSchedule
volumes:
- name: tmp-volume
emptyDir: {}
创建过程如图所示:
2、查看Dashboard的运行状态,使用命令” kubectl get pod -A “查看得如下结果,此时需要等待状态变为Running。
3、修改访问模式:运行命令” kubectl get svc -A |grep kubernetes-dashboard “查看端口,结果如下。
ClusterIP为集群内部网络访问方式,需要修改成NodePort,来支持集群主机访问的方式,运行如下命令来修改资源配置:
kubectl edit svc kubernetes-dashboard -n kubernetes-dashboard
再次运行命令” kubectl get svc -A |grep kubernetes-dashboard “查看端口,结果如下,多了一个映射端口30704,我们就可以通过任意一台集群机器的IP+30704端口就能访问该资源。
4、访问https://192.168.0.10:30704,发现无法打开页面,再次运行 ” kubectl get pod -A “却发现Running状态变成了CrashLoopBackOff,如图:
运行命令 ” kubectl describe pod kubernetes-dashboard-6cdd697d84-kcz6p -n kubernetes-dashboard “查看POD日志,发现如下警告:
原因是kubernetes-dashboard POD被默认安装到了非master节点,产生了权限不足的问题,需要按照前面提到的个性化yaml配置重新部署,步骤如下:
◉删除已经安装的POD:
kubectl delete Deployment kubernetes-dashboard -n kubernetes-dashboard
kubectl delete Deployment dashboard-metrics-scraper -n kubernetes-dashboard
◉重新通过修改后的recommended.yaml文件创建POD:
kubectl apply -f recommended.yaml
折腾到这里,kubernetes-dashboard面板已创建完成,访问https://192.168.0.10:30000,显示界面如下:
如果开启账号密码登录,则界面如下:
六、k8s可视化界面Dashboard的登录认证方式详解
待续…….
七 、使用 Dashboard界面方式部署一套完整的微服务项目
待续…….
八、使用kubectl命令行工具部署一套完整的微服务项目
待续…….
Original: https://www.cnblogs.com/zqhIndex/p/16200734.html
Author: 我若安好,便是晴天
Title: 从零开始搭建高可用的k8s集群
原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/612566/
转载文章受原作者版权保护。转载请注明原作者出处!