01.集群规划
系统版本:CentOS Linux release 7.6.1810 (Core)
软件版本:kubeadm、kubernetes-1.15、docker-ce-18.09
硬件要求:最少需要2GB或者以上的内存,最少需要2核或者以上更多的CPU
参考官方文档:https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/
| 主机名 | 主机地址 | 主机角色 | 运行服务 |
|---|---|---|---|
| k8s-master | 172.16.254.134 | control-plane(master) | kube-apiserver etcd kube-scheduler kube-controller-manager docker kubelet |
| k8s-ndoe01 | 172.16.254.135 | woker node(node) | kubelet kube-proxy docker |
02.配置主机
我们需要在主机上配置以下操作:
- 主机名
- 名称解析
- 关闭SWAP交换内存
- 关闭防火墙和SeLinux
- 启用bridge-nf功能
- 检查集群中每个主机的Mac地址和ProductUUID唯一性
- 检查可用端口是否被占用
| 主机 | 协议 | 运行服务 | 所需端口 |
|---|---|---|---|
| Master | TCP | api-server etcd-server-client-api kubelet-api kube-scheduler kube-controlle-manager |
6443* 2379-2380 10250 10251 10252 |
| Node | TCP | kubelet-api nodeport-services** |
10250 30000-32767 |
为啥要启用bridge-nf?
答:默认情况下iptables不对二层帧数据做任何处理,为了使Pod进行网络通信时也可以受到IPtables链上的规则所影响,所以我们需要开启IPtables的网桥透明工作模式,即来自二层的流量也将会被IPtables所过滤,避免出现IPtables被绕过而导致Pod流量路由不正确的问题。
主机(172.16.254.134)(k8s-master)上操作:
[root@localhost ~]# echo "k8s-master" >/etc/hostname
[root@localhost ~]# cat /etc/hostname |xargs hostname
[root@localhost ~]# bash
[root@k8s-master ~]# vim /etc/hosts
172.16.254.134 k8s-master
172.16.254.135 k8s-node01
[root@k8s-master ~]# swapoff -a
[root@k8s-master ~]# systemctl stop firewalld
[root@k8s-master ~]# systemctl disable firewalld
[root@k8s-master ~]# setenforce 0
[root@k8s-master ~]# sed -i 's/SELINUX=.*/SELINUX=disabled/g' /etc/sysconfig/selinux
[root@k8s-master ~]# vim /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
[root@k8s-master ~]# sysctl --system
[root@k8s-master ~]# ip link |grep 'link/ether'
link/ether 00:0c:29:d1:7c:b1 brd ff:ff:ff:ff:ff:ff
[root@k8s-master ~]# cat /sys/class/dmi/id/product_uuid
8A2E4D56-EE76-A6CE-0E12-70F4B8D17CB1
[root@k8s-master ~]# netstat -lnupt
主机(172.16.254.135)(k8s-node01)上操作
[root@localhost ~]# echo "k8s-node01" >/etc/hostname
[root@localhost ~]# cat /etc/hostname |xargs hostname
[root@localhost ~]# bash
[root@k8s-node01 ~]#
[root@k8s-node01 ~]# vim /etc/hosts
172.16.254.134 k8s-master
172.16.254.135 k8s-node01
[root@k8s-node01 ~]# swapoff -a
[root@k8s-node01 ~]# systemctl stop firewalld
[root@k8s-node01 ~]# systemctl disable firewalld
[root@k8s-node01 ~]# setenforce 0
[root@k8s-node01 ~]# sed -i 's/SELINUX=.*/SELINUX=disabled/g' /etc/sysconfig/selinux
[root@k8s-node01 ~]# vim /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
[root@k8s-node01 ~]# ip link |grep 'link/ether'
link/ether 00:0c:29:6d:40:2b brd ff:ff:ff:ff:ff:ff
[root@k8s-node01 ~]# cat /sys/class/dmi/id/product_uuid
4D854D56-E60A-69DD-CC05-4BF03A6D402B
[root@k8s-node01 ~]# netstat -lnupt
03.部署容器运行平台(docker)
1、安装Docker
两台主机上操作相同!
[root@localhost ~]# yum -y install epel-release.noarch yum-utils
[root@localhost ~]# yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
[root@localhost ~]# yum -y install device-mapper-persistent-data lvm2
[root@localhost ~]# yum -y install docker-ce-18.09.1
[root@localhost ~]# systemctl start docker
[root@localhost ~]# systemctl enable docker
2、配置Docker,重启Docker服务
配置Docker在线镜像源为国内镜像源,配置Docker使用的cgroup驱动为"systemd"。
两台主机上操作相同。
[root@k8s-master ~]# vim /etc/docker/daemon.json
{
"registry-mirrors": ["http://hub-mirror.c.163.com"],
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"storage-driver": "overlay2",
"storage-opts": [
"overlay2.override_kernel_check=true"
]
}
[root@k8s-master ~]# systemctl restart docker
04.安装相关组件(kubelet、kubeadm、kubectl)
1、配置YUM-Kubernetes存储库
YUM-Kubernetes存储库由阿里云开源镜像网提供。
两台主机上操作相同!
[root@k8s-master ~]# vim /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
2、安装kubelet、kubeadm、kubectl
两台主机上操作相同!
[root@k8s-master ~]# yum install -y kubelet-1.15.0 kubeadm-1.15.0 kubelet-1.15.0 --disableexcludes=kubernetes
3、配置Kubelet
避免Kubelet受swap影响导致服务启动失败。
两台主机上操作相同!
[root@k8s-master ~]# vim /etc/sysconfig/kubelet
KUBELET_EXTRA_ARGS="--fail-swap-on=false"
[root@k8s-master ~]# systemctl enable kubelet
05.构建集群
1、查看使用Kubeadm创建Kubernetes集群所需要的Docker镜像
由于Kubeadm默认使用的在线镜像源地址是"k8s.gcr.io"。所以我们需要手动下载所需镜像才能去创建集群。
主机(k8s-master)上操作!
[root@k8s-master ~]# kubeadm config print init-defaults |grep imageRepository
imageRepository: k8s.gcr.io
[root@k8s-master ~]# kubeadm config images list
W0708 15:58:04.237960 23951 version.go:99] falling back to the local client version: v1.15.0
k8s.gcr.io/kube-apiserver:v1.15.0
k8s.gcr.io/kube-controller-manager:v1.15.0
k8s.gcr.io/kube-scheduler:v1.15.0
k8s.gcr.io/kube-proxy:v1.15.0
k8s.gcr.io/pause:3.1
k8s.gcr.io/etcd:3.3.10
k8s.gcr.io/coredns:1.3.1
2、手动从第三方存储库下载镜像,并重新标记
我们可以先从在线的镜像源中搜索一下。
两台主机上操作相同!
[root@k8s-master ~]# docker search kube-apiserver:v1.15.0
[root@k8s-master ~]# docker search richarddockerimage
NAME DESCRIPTION STARS
richarddockerimage/kube-apiserver-v15 k8s.gcr.io/kube-apiserver:v1.15.0 0
richarddockerimage/tomcat_env_image Based on ubuntu 14.04, plus java7 and tomcat… 0
richarddockerimage/docker-whale Demo for docker 0
richarddockerimage/kube-controller-manager-v15 k8s.gcr.io/kube-controller-manager:v1.15.0 0
richarddockerimage/kube-proxy-v15 k8s.gcr.io/kube-proxy:v1.15.0 0
richarddockerimage/kube-scheduler-v15 k8s.gcr.io/kube-scheduler:v1.15.0 0
richarddockerimage/coredns-v15 k8s.gcr.io/coredns:1.3.1 0
richarddockerimage/etcd k8s.gcr.io/etcd:3.3.10 0
richarddockerimage/pause-v15 k8s.gcr.io/pause:3.1 0
richarddockerimage/oracle12 Oracle database 12 0
richarddockerimage/sqlserver sql server 2017 0
richarddockerimage/image_from_dockerfile 0
[root@k8s-master ~]# docker pull richarddockerimage/kube-apiserver-v15
[root@k8s-master ~]# docker pull richarddockerimage/kube-controller-manager-v15
[root@k8s-master ~]# docker pull richarddockerimage/kube-scheduler-v15
[root@k8s-master ~]# docker pull richarddockerimage/kube-proxy-v15
[root@k8s-master ~]# docker pull richarddockerimage/pause-v15
[root@k8s-master ~]# docker pull richarddockerimage/etcd
[root@k8s-master ~]# docker pull richarddockerimage/coredns-v15
[root@k8s-master ~]# docker tag richarddockerimage/kube-apiserver-v15 k8s.gcr.io/kube-apiserver:v1.15.0
[root@k8s-master ~]# docker tag richarddockerimage/kube-controller-manager-v15 k8s.gcr.io/kube-controller-manager:v1.15.0
[root@k8s-master ~]# docker tag richarddockerimage/kube-scheduler-v15 k8s.gcr.io/kube-scheduler:v1.15.0
[root@k8s-master ~]# docker tag richarddockerimage/kube-proxy-v15 k8s.gcr.io/kube-proxy:v1.15.0
[root@k8s-master ~]# docker tag richarddockerimage/pause-v15 k8s.gcr.io/pause:3.1
[root@k8s-master ~]# docker tag richarddockerimage/etcd k8s.gcr.io/etcd:3.3.10
[root@k8s-master ~]# docker tag richarddockerimage/coredns-v15 k8s.gcr.io/coredns:1.3.1
[root@k8s-master ~]# docker rmi richarddockerimage/kube-apiserver-v15
[root@k8s-master ~]# docker rmi richarddockerimage/kube-controller-manager-v15
[root@k8s-master ~]# docker rmi richarddockerimage/kube-scheduler-v15
[root@k8s-master ~]# docker rmi richarddockerimage/kube-proxy-v15
[root@k8s-master ~]# docker rmi richarddockerimage/pause-v15
[root@k8s-master ~]# docker rmi richarddockerimage/etcd
[root@k8s-master ~]# docker rmi richarddockerimage/coredns-v15
[root@k8s-master ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
k8s.gcr.io/etcd 3.3.10 aae65e9fad13 9 days ago 258MB
k8s.gcr.io/coredns 1.3.1 12dcba476018 9 days ago 40.3MB
k8s.gcr.io/pause 3.1 f3120a7daf47 9 days ago 742kB
k8s.gcr.io/kube-proxy v1.15.0 b39aca5c3855 9 days ago 82.4MB
k8s.gcr.io/kube-scheduler v1.15.0 9270c92a5165 9 days ago 81.1MB
k8s.gcr.io/kube-controller-manager v1.15.0 79939977718a 9 days ago 159MB
k8s.gcr.io/kube-apiserver v1.15.0 6ea465931092 9 days ago 207MB
3、创建一个Kubernetes集群
主机(k8s-master)上操作!
使用以下命令将会在主机上自动安装并运行控制平面(Master)组件服务。
[root@k8s-master ~]# kubeadm init --kubernetes-version=v1.15.0 --pod-network-cidr=10.244.0.0/16 --service-cidr=10.96.0.0/12 --apiserver-advertise-address=0.0.0.0 --ignore-preflight-errors=Swap
Your Kubernetes control-plane has initialized successfully!
你的Kubernetes 控制平面节点(Master)安装成功!
To start using your cluster, you need to run the following as a regular user:
要开始使用集群,你需要作为常规用户运行一下内容:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
你现在需要向集群中部署一个Pod网络。
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
你可以通过下面链接中的帮助文档,安装一个适用的网络插件用于Pod网络通信。
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
你可以运行以下命令将任意Node节点的加入到Kubernetes集群中。
kubeadm join 172.16.254.134:6443 --token c4p317.ia0w2uc6m1f4pmnn \
--discovery-token-ca-cert-hash sha256:ef2c778a8d7c6c2df000449249f45f55bf35356239fdaefa84822fde4b2f4b71
4、拷贝kubectl的配置文件
主机(k8s-master)上操作!
集群创建完成后,我们需要使用"kubectl"客户端连接管理集群,kubectl使用生成的配置文件连接并管理操作集群,源配置文件路径:/etc/kubernetes/admin.conf。
[root@k8s-master ~]# mkdir -p $HOME/.kube
[root@k8s-master ~]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@k8s-master ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config
5、部署网络插件(flannel)
主机(k8s-master)上操作!
Kubenetes中Pod之间网络通信通过第三方扩展来实现的,所以我们需要安装第三方网络插件,flannel是常用的网络插件,当然可以选择其他,请参考官方文档。
安装完成后我们使用"kubectl get pods --all-namespaces"命令查看下"kube-system"这个名称空间下的Pod运行情况,发现都是"Running"运行状态,说明Kubernetes集群已正常工作了。
[root@k8s-master ~]# kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/62e44c867a2846fefb68bd5f178daf4da3095ccb/Documentation/kube-flannel.yml
[root@k8s-master ~]# kubectl get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-5c98db65d4-sj2j6 1/1 Running 0 93m
kube-system coredns-5c98db65d4-zhpdw 1/1 Running 0 93m
kube-system etcd-k8s-master 1/1 Running 0 92m
kube-system kube-apiserver-k8s-master 1/1 Running 0 92m
kube-system kube-controller-manager-k8s-master 1/1 Running 0 92m
kube-system kube-flannel-ds-amd64-22fnl 1/1 Running 0 12m
kube-system kube-proxy-dlxwl 1/1 Running 0 93m
kube-system kube-proxy-mtplf 1/1 Running 0 100s
kube-system kube-scheduler-k8s-master 1/1 Running 0 92m
6、将Node节点主机加入到集群中
主机(k8s-Node01)上操作!
默认情况下,在创建的集群的时候,就会创建一个Token和CA证书,用于Node节点连接并接入到集群中,令牌的过期时间默认是24小时,当超过这个时间,如果还需要Node节点加入到集群中的话,则我们需要手动创建Token和CA证书。
[root@k8s-master ~]# kubeadm token list
[root@k8s-master ~]# kubeadm token create
[root@k8s-master ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
[root@k8s-node01 ~]# kubeadm join 172.16.254.134:6443 --token c4p317.ia0w2uc6m1f4pmnn --discovery-token-ca-cert-hash sha256:ef2c778a8d7c6c2df000449249f45f55bf35356239fdaefa84822fde4b2f4b71 --ignore-preflight-errors=Swap
This node has joined the cluster:
这个节点已加入到集群中:
* Certificate signing request was sent to apiserver and a response was received.
证书签名请求已发送到API Server,并接受到响应。
* The Kubelet was informed of the new secure connection details.
Kubelet被告知新的安全连接细节。
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
在控制平面上运行这个命令"kubectl get nodes"可以看到这个节点已加入到集群中。
06.查看集群
1、查看集群中节点情况
主机(k8s-master)上操作。
我们已经看到集群已经构建完成!Master和Node节点处于就绪状态。
[root@k8s-master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 95m v1.15.0
k8s-node01 Ready <none> 2m57s v1.15.0
2、查看控制平面(Master)节点组件运行情况
[root@k8s-master ~]# kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Healthy {"health":"true"}
3、查看集群状态信息
[root@k8s-master ~]# kubectl cluster-info
Kubernetes master is running at https://172.16.254.134:6443
KubeDNS is running at https://172.16.254.134:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
4、查看集群版本
[root@k8s-master ~]# kubectl version --short=true
Client Version: v1.15.0
Server Version: v1.15.0
07.简单使用
在集群中创建一个Pod,验证是否可正常运行!
1、创建Deployment
创建Deployment(Pod控制器),即会自动创建并调度Pod在Node上运行起来。
创建Pod后,Kubernetes会自动在Docker上基于镜像运行起来一个容器应用。
Pod内运行Nginx应用的容器。
[root@minikube ~]# kubectl create deployment nginx --image=nginx # 创建Deployment
[root@minikube ~]# kubectl get deployment -o wide # 查看Deployment
NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
nginx 1/1 1 1 24m nginx nginx app=nginx
[root@minikube ~]# kubectl get pod -o wide # 查看Pod
NAME READY STATUS RESTARTS AGE IP NODE
nginx-554b9c67f9-7bzhw 1/1 Running 0 24m 172.17.0.2 minikube
2、创建Service
创建Service,映射容器应用暴露的端口到主机端口,映射到主机上的端口是随机分配的。
[root@minikube ~]# kubectl expose deployment nginx --port=80 --type=NodePort # 创建Service
[root@minikube ~]# kubectl get service nginx -o wide # 查看Service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
nginx NodePort 10.96.89.7 <none> 80:32756/TCP 2m4s app=nginx
3、通过浏览器访问
访问地址:NodeIP:Port.
