二进制部署高可用 K8s-v1.24.5
PS:安装前必须提前查看 K8s-1.24.x 官方说明,内有弃用参数说明。另有 原文/译文 参考
一. 版本环境
程序版本
安装时请注意版本控制,如安装失败可检查各程序版本之间是否有兼容问题
- System:CentOS7.9.2009 Minimal
- Runtime:cri-containerd-cni-1.6.8
- Server:v1.24.x
- Etcd:v3.5.4
- Calico:v3.23.3
- CoreDNS:1.8.6
- Metricd:v0.6.1
- Dashboard:v2.6.0 & v1.0.8
安装规划
| hostname |
ServerIP |
Module |
| k8smn-4140-lb |
188.188.4.140 |
KeepAlived IP(VIP) |
| k8sm01-4141-pts~03 |
188.188.4.141~123 |
kube-apiserver,kube-controller-manager,kube-scheduler,etcd,kubelet,kube-proxy,containerd |
| k8sn01-4144-pts~02 |
188.188.4.144~125 |
kubelet,kube-proxy,containerd |
网络规划
- Host-IP:188.188.4.0/24
- Pod-IP:172.16.0.0/12
- Server-IP:10.96.0.0/16
注:宿主机网段与 K8s 的 Server/Pod 网段不能重复
二. 环境配置
安装说明:如未注明是在哪个节点执行,默认为全部节点都需要执行操作
2.1 基本配置
1)安装常用工具
| $ yum install wget jq psmisc lrzsz vim net-tools telnet yum-utils device-mapper-persistent-data lvm2 git expect -y
|
2)配置 Hostname & Hosts
| $ hostnamectl set-hostname k8sm01-4141-pts && bash
$ hostnamectl set-hostname k8sm02-4142-pts && bash
$ hostnamectl set-hostname k8sm03-4143-pts && bash
$ hostnamectl set-hostname k8sn01-4144-pts && bash
$ hostnamectl set-hostname k8sn02-4145-pts && bash
$ cat >> /etc/hosts << EOF
188.188.4.140 k8smn-4140-lb
188.188.4.141 k8sm01-4141-pts
188.188.4.142 k8sm02-4142-pts
188.188.4.143 k8sm03-4143-pts
188.188.4.144 k8sn01-4144-pts
188.188.4.145 k8sn02-4145-pts
EOF
|
3)配置阿里云源
| $ curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
$ yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
$ sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
|
4)关闭 Firewalld & SELINUX & Swap
| $ systemctl disable --now firewalld NetworkManager
$ setenforce 0
$ sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/sysconfig/selinux
$ sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
$ swapoff -a && sysctl -w vm.swappiness=0
$ sed -ri '/^[^#]*swap/s@^@#@' /etc/fstab
|
5)安装 ntpdate,同步时间
| $ rpm -ivh http://mirrors.wlnmp.com/centos/wlnmp-release-centos.noarch.rpm
$ yum install ntpdate -y
$ ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
$ echo 'Asia/Shanghai' >/etc/timezone
$ ntpdate time2.aliyun.com
$ crontab -e
*/5 * * * * /usr/sbin/ntpdate time2.aliyun.com
|
6)设置 limit 最大打开文件数和最大进程数
| $ ulimit -SHn 65535
$ vim /etc/security/limits.conf
# 末尾添加如下内容
* soft nofile 655360
* hard nofile 131072
* soft nproc 655350
* hard nproc 655350
* soft memlock unlimited
* hard memlock unlimited
|
7)配置密钥,实现免密登录
Master01 节点操作,发送至其他节点
| $ ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa
$ for i in k8sm01-4141-pts k8sm02-4142-pts k8sm03-4143-pts k8sn01-4144-pts k8sn02-4145-pts;do
expect -c "
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@$i
expect {
\"*yes/no*\" {send \"yes\r\"; exp_continue}
\"*password*\" {send \"password\r\"; exp_continue}
\"*Password*\" {send \"password\r\";}
} "
done
|
2.2 内核升级
新版本使用的是 IPVS 模块,需要内核系统版本支持,建议提前升级内核
1)到 ELREPO 下载自身需要的 RPM 包
| $ wget https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-ml-5.18.14-1.el7.elrepo.x86_64.rpm
$ wget https://elrepo.org/linux/kernel/el7/x86_64/RPMS/kernel-ml-devel-5.18.14-1.el7.elrepo.x86_64.rpm
|
2)直接加载安装
| $ rpm -ivh kernel-ml-5.18.14-1.el7.elrepo.x86_64.rpm kernel-ml-devel-5.18.14-1.el7.elrepo.x86_64.rpm
warning: kernel-ml-5.18.14-1.el7.elrepo.x86_64.rpm: Header V4 DSA/SHA256 Signature, key ID baadae52: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:kernel-ml-devel-5.18.14-1.el7.elr################################# [ 50%]
2:kernel-ml-5.18.14-1.el7.elrepo ################################# [100%]
|
3)检查现有内核并重置启动项
| $ awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
0 : CentOS Linux (5.18.14-1.el7.elrepo.x86_64) 7 (Core)
1 : CentOS Linux (3.10.0-1160.el7.x86_64) 7 (Core)
2 : CentOS Linux (0-rescue-77ada07bc97843b3a8e034039509ee14) 7 (Core)
$ grub2-set-default 0
$ grub2-mkconfig -o /boot/grub2/grub.cfg && reboot now
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.18.14-1.el7.elrepo.x86_64
Found initrd image: /boot/initramfs-5.18.14-1.el7.elrepo.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-1160.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-1160.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-4d7bc3c723f2437d995ca26258759d4e
Found initrd image: /boot/initramfs-0-rescue-4d7bc3c723f2437d995ca26258759d4e.img
done
$ yum update -y --exclude=kernel* && reboot
|
4)安装 ipvsadm,配置模块
在内核 4.19+ 版本 nf_conntrack_ipv4 已经改为 nf_conntrack, 4.18 以下使用nf_conntrack_ipv4 即可
| $ yum install ipvsadm ipset sysstat conntrack libseccomp -y
$ vim /etc/modules-load.d/ipvs.conf
ip_vs
ip_vs_lc
ip_vs_wlc
ip_vs_rr
ip_vs_wrr
ip_vs_lblc
ip_vs_lblcr
ip_vs_dh
ip_vs_sh
ip_vs_fo
ip_vs_nq
ip_vs_sed
ip_vs_ftp
ip_vs_sh
nf_conntrack
ip_tables
ip_set
xt_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
$ systemctl enable --now systemd-modules-load.service
|
5)开启 k8s 集群中必须的内核参数
| $ cat <<EOF > /etc/sysctl.d/k8s.conf
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
fs.may_detach_mounts = 1
vm.overcommit_memory=1
net.ipv4.conf.all.route_localnet = 1
vm.panic_on_oom=0
fs.inotify.max_user_watches=89100
fs.file-max=52706963
fs.nr_open=52706963
net.netfilter.nf_conntrack_max=2310720
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_probes = 3
net.ipv4.tcp_keepalive_intvl =15
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 327680
net.ipv4.tcp_orphan_retries = 3
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.ip_conntrack_max = 65536
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_timestamps = 0
net.core.somaxconn = 16384
EOF
# 配置完内核后,重启服务器,检查以保证正常加载
$ sysctl --system && reboot now
$ lsmod | grep --color=auto -e ip_vs -e nf_conntrack
|
三. 基本组件
Containerd Runtime 安装方法有两种,可根据自身需求进行
3.1 Yum 安装
1)查看现有版本
| $ yum list | grep containerd
containerd.io.x86_64 1.6.7-3.1.el7 docker-ce-stable
# 安装docker时,同时安装containerd
$ yum install docker-ce-20.10.* docker-ce-cli-20.10.* containerd -y
|
2)配置 Containerd 所需的模块、内核设置
| $ cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF
$ modprobe -- overlay
$ modprobe -- br_netfilter
$ cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
$ sysctl --system
|
3)生成 Containerd 的默认配置文件,并将 Cgroup 改为 Systemd,和修改镜像下载地址
| $ mkdir -p /etc/containerd
$ containerd config default | tee /etc/containerd/config.toml
# 修改k8s.gcr.io/pause:3.6为registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.6并修改SystemdCgroup为true
$ sed -i 's#k8s.gcr.io#registry.cn-hangzhou.aliyuncs.com/google_containers#g' /etc/containerd/config.toml
$ sed -i 's#SystemdCgroup = false#SystemdCgroup = true#g' /etc/containerd/config.toml
# 验证是否已修改
$ cat /etc/containerd/config.toml | grep -i sandbox_image
sandbox_image = "registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.5"
$ cat /etc/containerd/config.toml | grep -i SystemdCgroup
SystemdCgroup = true
|
4)启动服务并配置 crictl 客户端连接的运行时位置
| $ systemctl daemon-reload && systemctl enable --now containerd
$ cat > /etc/crictl.yaml <<EOF
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
EOF
$ ctr version
Client:
Version: 1.6.7
Revision: 3df54a852345ae127d1fa3092b95168e4a88e2f8
Go version: go1.17.8
Server:
Version: 1.6.7
Revision: 3df54a852345ae127d1fa3092b95168e4a88e2f8
UUID: d6ad552e-4bd8-498d-a4d1-ddedf391bc1b
|
3.2 Source 安装
安装前需要优先升级 libseccomp,centos7 中 yum 下载的版本是 2.3,需要 2.4 以上
1)查看 libseccomp 版本并作更新
| $ rpm -qa | grep libseccomp
libseccomp-2.3.1-4.el7.x86_64
$ rpm -e libseccomp-* --nodeps
|
2)下载新版本 libseccomp rpm 安装
| $ wget http://rpmfind.net/linux/centos/8-stream/BaseOS/x86_64/os/Packages/libseccomp-2.5.1-1.el8.x86_64.rpm
$ rpm -ivh libseccomp-2.5.1-1.el8.x86_64.rpm
$ rpm -qa | grep libseccomp
libseccomp-2.5.1-1.el8.x86_64
|
3)配置 Containerd 所需的模块、内核设置
| $ cat <<EOF | sudo tee /etc/modules-load.d/containerd.conf
overlay
br_netfilter
EOF
$ systemctl restart systemd-modules-load.service
$ modprobe -- overlay
$ modprobe -- br_netfilter
$ cat <<EOF | sudo tee /etc/sysctl.d/99-kubernetes-cri.conf
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
net.bridge.bridge-nf-call-ip6tables = 1
EOF
$ sysctl --system
|
4)下载并解压程序包
cri-containerd-1.6.8-linux-amd64.tar.gz 包含containerd以及cri runc等相关工具包,建议下载本包
| $ wget https://github.com/containerd/containerd/releases/download/v1.6.8/cri-containerd-1.6.8-linux-amd64.tar.gz
$ tar -zxvf cri-containerd-cni-1.6.8-linux-amd64.tar.gz -C /
|
5)创建 Containerd 配置文件
| $ mkdir -p /etc/containerd
$ containerd config default > /etc/containerd/config.toml
# 替换默认pause镜像地址
$ sed -i 's#k8s.gcr.io#registry.cn-hangzhou.aliyuncs.com/google_containers#g' /etc/containerd/config.toml
# 配置systemd作为容器的cgroup driver
$ sed -i 's#SystemdCgroup = false#SystemdCgroup = true#g' /etc/containerd/config.toml
# 验证是否已修改
$ cat /etc/containerd/config.toml | grep -i sandbox_image
sandbox_image = "registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.6"
$ cat /etc/containerd/config.toml | grep -i SystemdCgroup
SystemdCgroup = true
|
6)启动 systemd 服务
| # 默认cri-containerd-cni包中已有containerd启动脚本,可直接调用启动
$ systemctl daemon-reload && systemctl enable --now containerd
|
7)配置 crictl 客户端连接运行时
| $ cat > /etc/crictl.yaml <<EOF
runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 10
debug: false
EOF
$ systemctl restart containerd
|
8)验证是否成功
| $ crictl info
$ ctr version
Client:
Version: v1.6.8
Revision: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
Go version: go1.17.13
Server:
Version: v1.6.8
Revision: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
UUID: 0a71d5d8-34ed-4f6a-b8c6-9da1d48262c7
$ containerd --version
containerd github.com/containerd/containerd v1.6.8 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
|
3.3 镜像加速
此为示例文件,仅供参考!建议提前下载对应镜像或采用本地私有仓库!
k8s.gcr.io 只是名称,实际是从 endpoint 地址中拉取镜像
| $ cat /etc/containerd/config.toml | grep -i registry.mirrors -A 1
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://eihzr0te.mirror.aliyuncs.com"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."k8s.gcr.io"]
endpoint = ["https://registry.cn-hongkong.aliyuncs.com/yuikuen/"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"]
endpoint = ["https://registry.cn-hongkong.aliyuncs.com"]
|
3.4 K8s & Etcd
注意:选用 K8s 版本前,可查看 K8s CHANGELOG 文件,对照 Etcd 版本
1)提前创建程序目录
| $ mkdir -p /opt/cni/bin /etc/{etcd/ssl,kubernetes/{pki,manifests}} /var/{lib/kubelet,log/kubernetes} /etc/systemd/system/kubelet.service.d
|
2)下载相关配置文件
| # Master01操作即可
$ cd /root/; git clone https://github.com/yuikuen/k8s-install.git
$ cd /root/k8s-install && git checkout k8s-install_v1.24.x
$ wget https://dl.k8s.io/v1.24.4/kubernetes-server-linux-amd64.tar.gz
$ wget https://github.com/etcd-io/etcd/releases/download/v3.5.4/etcd-v3.5.4-linux-amd64.tar.gz
|
3)解压并发至其它节点
| $ tar -xf kubernetes-server-linux-amd64.tar.gz --strip-components=3 -C /usr/local/bin kubernetes/server/bin/kube{let,ctl,-apiserver,-controller-manager,-scheduler,-proxy}
$ tar -zxvf etcd-v3.5.5-linux-amd64.tar.gz --strip-components=1 -C /usr/local/bin etcd-v3.5.5-linux-amd64/etcd{,ctl}
$ kubelet --version
Kubernetes v1.24.5
$ etcdctl version
etcdctl version: 3.5.5
API version: 3.5
|
| $ MasterNodes='k8sm02-4142-pts k8sm03-4143-pts'
$ WorkNodes='k8sn01-4144-pts k8sn02-4145-pts'
$ for NODE in $MasterNodes; do echo $NODE;
scp /usr/local/bin/kube{let,ctl,-apiserver,-controller-manager,-scheduler,-proxy} $NODE:/usr/local/bin/;
scp /usr/local/bin/etcd* $NODE:/usr/local/bin/;
done
$ for NODE in $WorkNodes; do
scp /usr/local/bin/kube{let,-proxy} $NODE:/usr/local/bin/ ;
done
|
四. 生成证书
下载自签工具,生成证书
| # Master01操作即可
$ wget "https://pkg.cfssl.org/R1.2/cfssl_linux-amd64" -O /usr/local/bin/cfssl
$ wget "https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64" -O /usr/local/bin/cfssljson
$ chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson
|
4.1 Etcd 证书
Master01 节点生成 Etcd 证书,生成证书的 CSR 文件:证书签名请求文件,配置了一些域名、公司、单位
| $ cd /root/k8s-install/pki
# 生成etcd CA证书和CA证书的key,注意hostname、profile参数要与证书(ca-config.json)设置对应
$ cfssl gencert -initca etcd-ca-csr.json | cfssljson -bare /etc/etcd/ssl/etcd-ca
$ cfssl gencert \
-ca=/etc/etcd/ssl/etcd-ca.pem \
-ca-key=/etc/etcd/ssl/etcd-ca-key.pem \
-config=ca-config.json \
-hostname=127.0.0.1,k8sm01-4141-pts,k8sm02-4142-pts,k8sm03-4143-pts,188.188.4.141,188.188.4.142,188.188.4.143 \
-profile=kubernetes \
etcd-csr.json | cfssljson -bare /etc/etcd/ssl/etcd
|
| $ MasterNodes='k8sm02-4142-pts k8sm03-4143-pts'
$ WorkNodes='k8sn01-4144-pts k8sn02-4145-pts'
$ for NODE in $MasterNodes; do
ssh $NODE "mkdir -p /etc/etcd/ssl"
for FILE in etcd-ca-key.pem etcd-ca.pem etcd-key.pem etcd.pem; do
scp /etc/etcd/ssl/${FILE} $NODE:/etc/etcd/ssl/${FILE}
done
done
|
4.2 K8s 组件证书
如不做高可用集群,10.96.0.1 将改成 Master01 的 IP
1)生成各组件证书
| $ cfssl gencert -initca ca-csr.json | cfssljson -bare /etc/kubernetes/pki/ca
|
| $ cfssl gencert \
-ca=/etc/kubernetes/pki/ca.pem \
-ca-key=/etc/kubernetes/pki/ca-key.pem \
-config=ca-config.json \
-hostname=10.96.0.1,188.188.4.140,127.0.0.1,kubernetes,kubernetes.default,kubernetes.default.svc,kubernetes.default.svc.cluster,kubernetes.default.svc.cluster.local,188.188.4.141,188.188.4.142,188.188.4.143 \
-profile=kubernetes \
apiserver-csr.json | cfssljson -bare /etc/kubernetes/pki/apiserver
|
- Front-proxy-client(生成 apiserver 的聚合证书)
| $ cfssl gencert -initca front-proxy-ca-csr.json | cfssljson -bare /etc/kubernetes/pki/front-proxy-ca
$ cfssl gencert \
-ca=/etc/kubernetes/pki/front-proxy-ca.pem \
-ca-key=/etc/kubernetes/pki/front-proxy-ca-key.pem \
-config=ca-config.json -profile=kubernetes \
front-proxy-client-csr.json | cfssljson -bare /etc/kubernetes/pki/front-proxy-client
|
| $ cfssl gencert \
-ca=/etc/kubernetes/pki/ca.pem \
-ca-key=/etc/kubernetes/pki/ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
manager-csr.json | cfssljson -bare /etc/kubernetes/pki/controller-manager
# set-cluster:设置一个集群项
$ kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://188.188.4.140:8443 \
--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig
# set-credentials 设置一个用户项
$ kubectl config set-credentials system:kube-controller-manager \
--client-certificate=/etc/kubernetes/pki/controller-manager.pem \
--client-key=/etc/kubernetes/pki/controller-manager-key.pem \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig
# 设置一个环境项,一个上下文
$ kubectl config set-context system:kube-controller-manager@kubernetes \
--cluster=kubernetes \
--user=system:kube-controller-manager \
--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig
# 使用某个环境当做默认环境
$ kubectl config use-context system:kube-controller-manager@kubernetes \
--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig
|
| $ cfssl gencert \
-ca=/etc/kubernetes/pki/ca.pem \
-ca-key=/etc/kubernetes/pki/ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
scheduler-csr.json | cfssljson -bare /etc/kubernetes/pki/scheduler
# set-cluster:设置一个集群项
$ kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://188.188.4.140:8443 \
--kubeconfig=/etc/kubernetes/scheduler.kubeconfig
# set-credentials 设置一个用户项
$ kubectl config set-credentials system:kube-scheduler \
--client-certificate=/etc/kubernetes/pki/scheduler.pem \
--client-key=/etc/kubernetes/pki/scheduler-key.pem \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/scheduler.kubeconfig
# 设置一个环境项,一个上下文
$ kubectl config set-context system:kube-scheduler@kubernetes \
--cluster=kubernetes \
--user=system:kube-scheduler \
--kubeconfig=/etc/kubernetes/scheduler.kubeconfig
# 使用某个环境当做默认环境
$ kubectl config use-context system:kube-scheduler@kubernetes \
--kubeconfig=/etc/kubernetes/scheduler.kubeconfig
|
| $ cfssl gencert \
-ca=/etc/kubernetes/pki/ca.pem \
-ca-key=/etc/kubernetes/pki/ca-key.pem \
-config=ca-config.json \
-profile=kubernetes \
admin-csr.json | cfssljson -bare /etc/kubernetes/pki/admin
# set-cluster:设置一个集群项
$ kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://188.188.4.140:8443 \
--kubeconfig=/etc/kubernetes/admin.kubeconfig
# set-credentials 设置一个用户项
$ kubectl config set-credentials kubernetes-admin \
--client-certificate=/etc/kubernetes/pki/admin.pem \
--client-key=/etc/kubernetes/pki/admin-key.pem \
--embed-certs=true \
--kubeconfig=/etc/kubernetes/admin.kubeconfig
# 设置一个环境项,一个上下文
$ kubectl config set-context kubernetes-admin@kubernetes \
--cluster=kubernetes \
--user=kubernetes-admin \
--kubeconfig=/etc/kubernetes/admin.kubeconfig
# 使用某个环境当做默认环境
$ kubectl config use-context kubernetes-admin@kubernetes \
--kubeconfig=/etc/kubernetes/admin.kubeconfig
|
2)创建 Secret,并将其发至其它节点
| $ openssl genrsa -out /etc/kubernetes/pki/sa.key 2048
$ openssl rsa -in /etc/kubernetes/pki/sa.key -pubout -out /etc/kubernetes/pki/sa.pub
|
| $ for NODE in k8sm02-4142-pts k8sm03-4143-pts; do
for FILE in $(ls /etc/kubernetes/pki | grep -v etcd); do
scp /etc/kubernetes/pki/${FILE} $NODE:/etc/kubernetes/pki/${FILE};
done;
for FILE in admin.kubeconfig controller-manager.kubeconfig scheduler.kubeconfig; do
scp /etc/kubernetes/${FILE} $NODE:/etc/kubernetes/${FILE};
done;
done
# 查看证书文件
$ ls /etc/kubernetes/pki/ |wc -l
23
|
五. 高可用配置
如不是高可用集群,HAProxy & KeepAlived 无需安装
如使用云上托管服务,可直接使用云上 lb,如阿里云 slb、腾讯云 elb 等
1)所有 Master 节点进行安装
| $ yum -y install haproxy keepalived
|
5.1 HAProxy
| # 所有Master的HAProxy配置一样
$ vim /etc/haproxy/haproxy.cfg
global
maxconn 2000
ulimit-n 16384
log 127.0.0.1 local0 err
stats timeout 30s
defaults
log global
mode http
option httplog
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-request 15s
timeout http-keep-alive 15s
frontend k8s-master
bind 0.0.0.0:8443
bind 127.0.0.1:8443
mode tcp
option tcplog
tcp-request inspect-delay 5s
default_backend k8s-master
backend k8s-master
mode tcp
option tcplog
option tcp-check
balance roundrobin
default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
server k8sm01-4141-pts 188.188.4.141:6443 check
server k8sm02-4142-pts 188.188.4.142:6443 check
server k8sm03-4143-pts 188.188.4.143:6443 check
|
5.2 KeepAlived
所有 Master 节点的 KeepAlived 配置不一样,注意每个节点的IP和网卡(interface参数)
| $ vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
}
vrrp_script chk_apiserver {
script "/etc/keepalived/check_apiserver.sh"
interval 5
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state MASTER
interface eth0
mcast_src_ip 188.188.4.141
virtual_router_id 14
priority 101
nopreempt
advert_int 2
authentication {
auth_type PASS
auth_pass K8SHA_KA_AUTH
}
virtual_ipaddress {
188.188.4.140
}
track_script {
chk_apiserver
} }
|
| $ vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
}
vrrp_script chk_apiserver {
script "/etc/keepalived/check_apiserver.sh"
interval 5
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
mcast_src_ip 188.188.4.142
virtual_router_id 14
priority 100
nopreempt
advert_int 2
authentication {
auth_type PASS
auth_pass K8SHA_KA_AUTH
}
virtual_ipaddress {
188.188.4.140
}
track_script {
chk_apiserver
} }
|
| $ vim /etc/keepalived/keepalived.conf
! Configuration File for keepalived
global_defs {
router_id LVS_DEVEL
}
vrrp_script chk_apiserver {
script "/etc/keepalived/check_apiserver.sh"
interval 5
weight -5
fall 2
rise 1
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
mcast_src_ip 188.188.4.143
virtual_router_id 14
priority 100
nopreempt
advert_int 2
authentication {
auth_type PASS
auth_pass K8SHA_KA_AUTH
}
virtual_ipaddress {
188.188.4.140
}
track_script {
chk_apiserver
} }
|
5.3 健康检查
| # 所有Master节点
$ vim /etc/keepalived/check_apiserver.sh
#!/bin/bash
err=0
for k in $(seq 1 3)
do
check_code=$(pgrep haproxy)
if [[ $check_code == "" ]]; then
err=$(expr $err + 1)
sleep 1
continue
else
err=0
break
fi
done
if [[ $err != "0" ]]; then
echo "systemctl stop keepalived"
/usr/bin/systemctl stop keepalived
exit 1
else
exit 0
fi
# 授权并启动服务测试
$ chmod +x /etc/keepalived/check_apiserver.sh
$ systemctl daemon-reload && systemctl enable --now haproxy keepalived
$ systemctl status haproxy keepalived
|
六. 组件配置
6.1 Etcd
配置大致相同,注意修改每个 Master 节点的 etcd 配置的主机名和 IP 地址
1)所有 Master 节点创建配置文件
| $ vim /etc/etcd/etcd.config.yml
name: 'k8sm01-4141-pts'
data-dir: /var/lib/etcd
wal-dir: /var/lib/etcd/wal
snapshot-count: 5000
heartbeat-interval: 100
election-timeout: 1000
quota-backend-bytes: 0
listen-peer-urls: 'https://188.188.4.141:2380'
listen-client-urls: 'https://188.188.4.141:2379,http://127.0.0.1:2379'
max-snapshots: 3
max-wals: 5
cors:
initial-advertise-peer-urls: 'https://188.188.4.141:2380'
advertise-client-urls: 'https://188.188.4.141:2379'
discovery:
discovery-fallback: 'proxy'
discovery-proxy:
discovery-srv:
initial-cluster: 'k8sm01-4141-pts=https://188.188.4.141:2380,k8sm02-4142-pts=https://188.188.4.142:2380,k8sm03-4143-pts=https://188.188.4.143:2380'
initial-cluster-token: 'etcd-k8s-cluster'
initial-cluster-state: 'new'
strict-reconfig-check: false
enable-v2: true
enable-pprof: true
proxy: 'off'
proxy-failure-wait: 5000
proxy-refresh-interval: 30000
proxy-dial-timeout: 1000
proxy-write-timeout: 5000
proxy-read-timeout: 0
client-transport-security:
cert-file: '/etc/kubernetes/pki/etcd/etcd.pem'
key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem'
client-cert-auth: true
trusted-ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem'
auto-tls: true
peer-transport-security:
cert-file: '/etc/kubernetes/pki/etcd/etcd.pem'
key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem'
peer-client-cert-auth: true
trusted-ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem'
auto-tls: true
debug: false
log-package-levels:
log-outputs: [default]
force-new-cluster: false
|
| $ vim /etc/etcd/etcd.config.yml
name: 'k8sm02-4142-pts'
data-dir: /var/lib/etcd
wal-dir: /var/lib/etcd/wal
snapshot-count: 5000
heartbeat-interval: 100
election-timeout: 1000
quota-backend-bytes: 0
listen-peer-urls: 'https://188.188.4.142:2380'
listen-client-urls: 'https://188.188.4.142:2379,http://127.0.0.1:2379'
max-snapshots: 3
max-wals: 5
cors:
initial-advertise-peer-urls: 'https://188.188.4.142:2380'
advertise-client-urls: 'https://188.188.4.142:2379'
discovery:
discovery-fallback: 'proxy'
discovery-proxy:
discovery-srv:
initial-cluster: 'k8sm01-4141-pts=https://188.188.4.141:2380,k8sm02-4142-pts=https://188.188.4.142:2380,k8sm03-4143-pts=https://188.188.4.143:2380'
initial-cluster-token: 'etcd-k8s-cluster'
initial-cluster-state: 'new'
strict-reconfig-check: false
enable-v2: true
enable-pprof: true
proxy: 'off'
proxy-failure-wait: 5000
proxy-refresh-interval: 30000
proxy-dial-timeout: 1000
proxy-write-timeout: 5000
proxy-read-timeout: 0
client-transport-security:
cert-file: '/etc/kubernetes/pki/etcd/etcd.pem'
key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem'
client-cert-auth: true
trusted-ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem'
auto-tls: true
peer-transport-security:
cert-file: '/etc/kubernetes/pki/etcd/etcd.pem'
key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem'
peer-client-cert-auth: true
trusted-ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem'
auto-tls: true
debug: false
log-package-levels:
log-outputs: [default]
force-new-cluster: false
|
| $ vim /etc/etcd/etcd.config.yml
name: 'k8sm03-4143-pts'
data-dir: /var/lib/etcd
wal-dir: /var/lib/etcd/wal
snapshot-count: 5000
heartbeat-interval: 100
election-timeout: 1000
quota-backend-bytes: 0
listen-peer-urls: 'https://188.188.4.143:2380'
listen-client-urls: 'https://188.188.4.143:2379,http://127.0.0.1:2379'
max-snapshots: 3
max-wals: 5
cors:
initial-advertise-peer-urls: 'https://188.188.4.143:2380'
advertise-client-urls: 'https://188.188.4.143:2379'
discovery:
discovery-fallback: 'proxy'
discovery-proxy:
discovery-srv:
initial-cluster: 'k8sm01-4141-pts=https://188.188.4.141:2380,k8sm02-4142-pts=https://188.188.4.142:2380,k8sm03-4143-pts=https://188.188.4.143:2380'
initial-cluster-token: 'etcd-k8s-cluster'
initial-cluster-state: 'new'
strict-reconfig-check: false
enable-v2: true
enable-pprof: true
proxy: 'off'
proxy-failure-wait: 5000
proxy-refresh-interval: 30000
proxy-dial-timeout: 1000
proxy-write-timeout: 5000
proxy-read-timeout: 0
client-transport-security:
cert-file: '/etc/kubernetes/pki/etcd/etcd.pem'
key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem'
client-cert-auth: true
trusted-ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem'
auto-tls: true
peer-transport-security:
cert-file: '/etc/kubernetes/pki/etcd/etcd.pem'
key-file: '/etc/kubernetes/pki/etcd/etcd-key.pem'
peer-client-cert-auth: true
trusted-ca-file: '/etc/kubernetes/pki/etcd/etcd-ca.pem'
auto-tls: true
debug: false
log-package-levels:
log-outputs: [default]
force-new-cluster: false
|
2)所有 Master 节点创建 Service 服务文件
| $ vim /usr/lib/systemd/system/etcd.service
[Unit]
Description=Etcd Service
Documentation=https://coreos.com/etcd/docs/latest/
After=network.target
[Service]
Type=notify
ExecStart=/usr/local/bin/etcd --config-file=/etc/etcd/etcd.config.yml
Restart=on-failure
RestartSec=10
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
Alias=etcd3.service
# 创建etcd的证书目录
$ mkdir /etc/kubernetes/pki/etcd
$ ln -s /etc/etcd/ssl/* /etc/kubernetes/pki/etcd/
$ systemctl daemon-reload && systemctl enable --now etcd
# 查看Etcd状态
$ export ETCDCTL_API=3
$ etcdctl --endpoints="188.188.4.143:2379,188.188.4.142:2379,188.188.4.141:2379" \
--cacert=/etc/kubernetes/pki/etcd/etcd-ca.pem \
--cert=/etc/kubernetes/pki/etcd/etcd.pem \
--key=/etc/kubernetes/pki/etcd/etcd-key.pem \
endpoint status --write-out=table
|
6.2 ApiServer
所有 Master 节点创建 kube-apiserver service,注意如不是高可用集群,188.188.4.140 改为 Master01 地址
PS:1.24.x Kube-apiserver: 不安全的地址标志 --address,--insecure-bind-address 和 --port( --insecure-portinert since 1.20) 被移除
- insecure-port 的参数在最新 cdk 已经被注释了,这个参数在 K8s 1.24 会直接弃用
- feature-gates=LegacyServiceAccountTokenNoAutoGeneration:停止自动生成基于 Secret 的 服务帐户令牌
1)创建 Server 配置文件
| $ vim /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
ExecStart=/usr/local/bin/kube-apiserver \
--v=2 \
--logtostderr=true \
--allow-privileged=true \
--bind-address=0.0.0.0 \
--secure-port=6443 \
--advertise-address=188.188.4.141 \
--service-cluster-ip-range=10.96.0.0/16 \
--service-node-port-range=30000-32767 \
--etcd-servers=https://188.188.4.141:2379,https://188.188.4.142:2379,https://188.188.4.143:2379 \
--etcd-cafile=/etc/etcd/ssl/etcd-ca.pem \
--etcd-certfile=/etc/etcd/ssl/etcd.pem \
--etcd-keyfile=/etc/etcd/ssl/etcd-key.pem \
--client-ca-file=/etc/kubernetes/pki/ca.pem \
--tls-cert-file=/etc/kubernetes/pki/apiserver.pem \
--tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem \
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver.pem \
--kubelet-client-key=/etc/kubernetes/pki/apiserver-key.pem \
--service-account-key-file=/etc/kubernetes/pki/sa.pub \
--service-account-signing-key-file=/etc/kubernetes/pki/sa.key \
--service-account-issuer=https://kubernetes.default.svc.cluster.local \
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota \
# 增加-停止自动生成基于 Secret 的服务帐户令牌
--feature-gates=LegacyServiceAccountTokenNoAutoGeneration=false \
--authorization-mode=Node,RBAC \
--enable-bootstrap-token-auth=true \
--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem \
--proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.pem \
--proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client-key.pem \
--requestheader-allowed-names=aggregator \
--requestheader-group-headers=X-Remote-Group \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-username-headers=X-Remote-User
# --token-auth-file=/etc/kubernetes/token.csv
Restart=on-failure
RestartSec=10s
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
|
| $ vim /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
ExecStart=/usr/local/bin/kube-apiserver \
--v=2 \
--logtostderr=true \
--allow-privileged=true \
--bind-address=0.0.0.0 \
--secure-port=6443 \
--advertise-address=188.188.4.142 \
--service-cluster-ip-range=10.96.0.0/16 \
--service-node-port-range=30000-32767 \
--etcd-servers=https://188.188.4.141:2379,https://188.188.4.142:2379,https://188.188.4.143:2379 \
--etcd-cafile=/etc/etcd/ssl/etcd-ca.pem \
--etcd-certfile=/etc/etcd/ssl/etcd.pem \
--etcd-keyfile=/etc/etcd/ssl/etcd-key.pem \
--client-ca-file=/etc/kubernetes/pki/ca.pem \
--tls-cert-file=/etc/kubernetes/pki/apiserver.pem \
--tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem \
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver.pem \
--kubelet-client-key=/etc/kubernetes/pki/apiserver-key.pem \
--service-account-key-file=/etc/kubernetes/pki/sa.pub \
--service-account-signing-key-file=/etc/kubernetes/pki/sa.key \
--service-account-issuer=https://kubernetes.default.svc.cluster.local \
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota \
# 增加-停止自动生成基于 Secret 的服务帐户令牌
--feature-gates=LegacyServiceAccountTokenNoAutoGeneration=false \
--authorization-mode=Node,RBAC \
--enable-bootstrap-token-auth=true \
--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem \
--proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.pem \
--proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client-key.pem \
--requestheader-allowed-names=aggregator \
--requestheader-group-headers=X-Remote-Group \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-username-headers=X-Remote-User
# --token-auth-file=/etc/kubernetes/token.csv
Restart=on-failure
RestartSec=10s
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
|
| $ vim /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
ExecStart=/usr/local/bin/kube-apiserver \
--v=2 \
--logtostderr=true \
--allow-privileged=true \
--bind-address=0.0.0.0 \
--secure-port=6443 \
--advertise-address=188.188.4.143 \
--service-cluster-ip-range=10.96.0.0/16 \
--service-node-port-range=30000-32767 \
--etcd-servers=https://188.188.4.141:2379,https://188.188.4.142:2379,https://188.188.4.143:2379 \
--etcd-cafile=/etc/etcd/ssl/etcd-ca.pem \
--etcd-certfile=/etc/etcd/ssl/etcd.pem \
--etcd-keyfile=/etc/etcd/ssl/etcd-key.pem \
--client-ca-file=/etc/kubernetes/pki/ca.pem \
--tls-cert-file=/etc/kubernetes/pki/apiserver.pem \
--tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem \
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver.pem \
--kubelet-client-key=/etc/kubernetes/pki/apiserver-key.pem \
--service-account-key-file=/etc/kubernetes/pki/sa.pub \
--service-account-signing-key-file=/etc/kubernetes/pki/sa.key \
--service-account-issuer=https://kubernetes.default.svc.cluster.local \
--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname \
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota \
# 增加-停止自动生成基于 Secret 的服务帐户令牌
--feature-gates=LegacyServiceAccountTokenNoAutoGeneration=false \
--authorization-mode=Node,RBAC \
--enable-bootstrap-token-auth=true \
--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem \
--proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.pem \
--proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client-key.pem \
--requestheader-allowed-names=aggregator \
--requestheader-group-headers=X-Remote-Group \
--requestheader-extra-headers-prefix=X-Remote-Extra- \
--requestheader-username-headers=X-Remote-User
# --token-auth-file=/etc/kubernetes/token.csv
Restart=on-failure
RestartSec=10s
LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
|
所有 Master 节点开启服务并检查状态
| $ systemctl daemon-reload && systemctl enable --now kube-apiserver
$ systemctl status kube-apiserver
|
6.3 ControllerManager
所有 Master 节点的 kube-controller-manager service 配置一样
PS:自 v1.20 以来,不安全的地址标志 --address 和 --port kube-controller-manager 中的标志无效,并在 v1.24 中被删除
| $ vim /usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
ExecStart=/usr/local/bin/kube-controller-manager \
--v=2 \
--logtostderr=true \
--root-ca-file=/etc/kubernetes/pki/ca.pem \
--cluster-signing-cert-file=/etc/kubernetes/pki/ca.pem \
--cluster-signing-key-file=/etc/kubernetes/pki/ca-key.pem \
--service-account-private-key-file=/etc/kubernetes/pki/sa.key \
--kubeconfig=/etc/kubernetes/controller-manager.kubeconfig \
# 增加-停止自动生成基于 Secret 的服务帐户令牌
--feature-gates=LegacyServiceAccountTokenNoAutoGeneration=false \
--leader-elect=true \
--use-service-account-credentials=true \
--node-monitor-grace-period=40s \
--node-monitor-period=5s \
--pod-eviction-timeout=2m0s \
--controllers=*,bootstrapsigner,tokencleaner \
--allocate-node-cidrs=true \
--cluster-cidr=172.16.0.0/12 \
--requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem \
--node-cidr-mask-size=24
Restart=always
RestartSec=10s
[Install]
WantedBy=multi-user.target
|
所有 Master 节点开启服务并检查状态
| $ systemctl daemon-reload && systemctl enable --now kube-controller-manager
$ systemctl status kube-controller-manager
|
6.4 Scheduler
所有 Master 节点的 kube-scheduler service 配置一样
PS:Kube-scheduler 删除不安全的标志。您可以改用 --bind-address 和 --secure-port
| $ vim /usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
ExecStart=/usr/local/bin/kube-scheduler \
--v=2 \
--logtostderr=true \
--leader-elect=true \
--authentication-kubeconfig=/etc/kubernetes/scheduler.kubeconfig \
--authorization-kubeconfig=/etc/kubernetes/scheduler.kubeconfig \
--kubeconfig=/etc/kubernetes/scheduler.kubeconfig
Restart=always
RestartSec=10s
[Install]
WantedBy=multi-user.target
|
所有 Master 节点开启服务并检查状态
| $ systemctl daemon-reload && systemctl enable --now kube-scheduler
$ systemctl status kube-scheduler
|
七. TLS Bootstrapping
注:如需修改文件中的 token-id 和 token-secret,需要保持一致
在配置文件中的 token 定义中,需要注意:
- token 的 name 必须是
bootstrap-token-<token-id> 的格式
- token 的 type 必须是
bootstrap.kubernetes.io/token
- token 的 token-id 和 token-secret 分别是6位和16位数字和字母的组合
auth-extra-groups 定义了 token 代表的用户所属的额外的 group,而默认 group 名为 system:bootstrappers- 这种类型 token 代表的用户名为
system:bootstrap:<token-id>,在本文中就是 system:bootstrap:abcdef
1)Master01 操作即可,生成随便字符串
| $ cat /dev/urandom | head -n 22 | md5sum | head -c 22
dd4414.74c103b52e297e6c
|
| $ cd /root/k8s-install/bootstrap
$ kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://188.188.4.140:8443 \
--kubeconfig=/etc/kubernetes/bootstrap-kubelet.kubeconfig
$ kubectl config set-credentials tls-bootstrap-token-user \
--token=dd4414.74c103b52e297e6c \
--kubeconfig=/etc/kubernetes/bootstrap-kubelet.kubeconfig
$ kubectl config set-context tls-bootstrap-token-user@kubernetes \
--cluster=kubernetes \
--user=tls-bootstrap-token-user \
--kubeconfig=/etc/kubernetes/bootstrap-kubelet.kubeconfig
$ kubectl config use-context tls-bootstrap-token-user@kubernetes \
--kubeconfig=/etc/kubernetes/bootstrap-kubelet.kubeconfig
$ mkdir -p /root/.kube ; cp /etc/kubernetes/admin.kubeconfig /root/.kube/config
|
2)查看集群状态,正常即可继续操作
| $ kubectl get cs
Warning: v1 ComponentStatus is deprecated in v1.19+
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-1 Healthy {"health":"true","reason":""}
etcd-2 Healthy {"health":"true","reason":""}
etcd-0 Healthy {"health":"true","reason":""}
$ kubectl create -f bootstrap.secret.yaml
secret/bootstrap-token-dd4414 created
clusterrolebinding.rbac.authorization.k8s.io/kubelet-bootstrap created
clusterrolebinding.rbac.authorization.k8s.io/node-autoapprove-bootstrap created
clusterrolebinding.rbac.authorization.k8s.io/node-autoapprove-certificate-rotation created
clusterrole.rbac.authorization.k8s.io/system:kube-apiserver-to-kubelet created
clusterrolebinding.rbac.authorization.k8s.io/system:kube-apiserver created
|
八. Node
Master01 节点将证书复制至其他节点
| $ cd /etc/kubernetes/
$ for NODE in k8sm02-4142-pts k8sm03-4143-pts k8sn01-4144-pts k8sn02-4145-pts; do
ssh $NODE mkdir -p /etc/kubernetes/pki /etc/etcd/ssl
for FILE in etcd-ca.pem etcd.pem etcd-key.pem; do
scp /etc/etcd/ssl/$FILE $NODE:/etc/etcd/ssl/
done
for FILE in pki/ca.pem pki/ca-key.pem pki/front-proxy-ca.pem bootstrap-kubelet.kubeconfig; do
scp /etc/kubernetes/$FILE $NODE:/etc/kubernetes/${FILE}
done
done
|
8.1 Kubelet
1)所有节点配置 kubelet service
| $ vim /usr/lib/systemd/system/kubelet.service
[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
[Service]
ExecStart=/usr/local/bin/kubelet
Restart=always
StartLimitInterval=0
RestartSec=10
[Install]
WantedBy=multi-user.target
|
2)所有节点创建 Kubelet 配置文件
Runtime 为 Containerd,按以下内容创建 Kubelet 配置文件
PS:以下与 dockershim 相关的标志也将与 dockershim 一起删除 --experimental-dockershim-root-directory, --docker-endpoint, --image-pull-progress-deadline, --network-plugin, --cni-conf-dir, --cni-bin-dir, --cni-cache-dir, --network-plugin-mtu
| $ vim /etc/systemd/system/kubelet.service.d/10-kubelet.conf
[Service]
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig"
Environment="KUBELET_SYSTEM_ARGS=--container-runtime=remote --runtime-request-timeout=15m --container-runtime-endpoint=unix:///run/containerd/containerd.sock"
Environment="KUBELET_CONFIG_ARGS=--config=/etc/kubernetes/kubelet-conf.yml"
Environment="KUBELET_EXTRA_ARGS=--node-labels=node.kubernetes.io/node='' "
ExecStart=
ExecStart=/usr/local/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_CONFIG_ARGS $KUBELET_SYSTEM_ARGS $KUBELET_EXTRA_ARGS
|
| $ vim /etc/kubernetes/kubelet-conf.yml
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
address: 0.0.0.0
port: 10250
readOnlyPort: 10255
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 2m0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.pem
authorization:
mode: Webhook
webhook:
cacheAuthorizedTTL: 5m0s
cacheUnauthorizedTTL: 30s
cgroupDriver: systemd
cgroupsPerQOS: true
clusterDNS:
- 10.96.0.10
clusterDomain: cluster.local
containerLogMaxFiles: 5
containerLogMaxSize: 10Mi
contentType: application/vnd.kubernetes.protobuf
cpuCFSQuota: true
cpuManagerPolicy: none
cpuManagerReconcilePeriod: 10s
enableControllerAttachDetach: true
enableDebuggingHandlers: true
enforceNodeAllocatable:
- pods
eventBurst: 10
eventRecordQPS: 5
evictionHard:
imagefs.available: 15%
memory.available: 100Mi
nodefs.available: 10%
nodefs.inodesFree: 5%
evictionPressureTransitionPeriod: 5m0s
failSwapOn: true
fileCheckFrequency: 20s
hairpinMode: promiscuous-bridge
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 20s
imageGCHighThresholdPercent: 85
imageGCLowThresholdPercent: 80
imageMinimumGCAge: 2m0s
iptablesDropBit: 15
iptablesMasqueradeBit: 14
kubeAPIBurst: 10
kubeAPIQPS: 5
makeIPTablesUtilChains: true
maxOpenFiles: 1000000
maxPods: 110
nodeStatusUpdateFrequency: 10s
oomScoreAdj: -999
podPidsLimit: -1
registryBurst: 10
registryPullQPS: 5
resolvConf: /etc/resolv.conf
rotateCertificates: true
runtimeRequestTimeout: 2m0s
serializeImagePulls: true
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 4h0m0s
syncFrequency: 1m0s
volumeStatsAggPeriod: 1m0s
|
启动所有节点 kubelet 服务
| $ systemctl daemon-reload && systemctl enable --now kubelet
# 状态为Active: active (running)并且输出信息都为I0819才算正常
$ systemctl status kubelet
● kubelet.service - Kubernetes Kubelet
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/kubelet.service.d
└─10-kubelet.conf
Active: active (running) since Fri 2022-08-19 12:05:33 CST; 4min 29s ago
Docs: https://github.com/kubernetes/kubernetes
Main PID: 72194 (kubelet)
Tasks: 18
Memory: 41.2M
CGroup: /system.slice/kubelet.service
└─72194 /usr/local/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig --config=/etc/kubernetes/kubelet-conf.yml --co...
Aug 19 12:05:33 k8sm01-4141-pts kubelet[72194]: I0819 12:05:33.688575 72194 state_mem.go:88] "Updated default CPUSet" cpuSet=""
Aug 19 12:05:33 k8sm01-4141-pts kubelet[72194]: I0819 12:05:33.688594 72194 state_mem.go:96] "Updated CPUSet assignments" assignments=map[]
...
|
Active: active (running) 并不代表完全正常,信息输出 E0819 + Error ... 同样是失败
3)查看系统日志和集群状态
| # 如果正常日志信息不会循环打印
$ tail -f /var/log/messages
$ kubectl get node
|
Ready 不代表 Node 连接正常,还需要配置 Proxy/Calico/CoreDNS
8.2 Kube-Proxy
仅在 Master01 执行
1)通过 Master01 获取参数值并生成 kubeconfig 文件
| $ cd /root/k8s-install
$ kubectl -n kube-system create serviceaccount kube-proxy
$ kubectl create clusterrolebinding system:kube-proxy \
--clusterrole system:node-proxier \
--serviceaccount kube-system:kube-proxy
$ SECRET=$(kubectl -n kube-system get sa/kube-proxy \
--output=jsonpath='{.secrets[0].name}')
$ JWT_TOKEN=$(kubectl -n kube-system get secret/$SECRET \
--output=jsonpath='{.data.token}' | base64 -d)
$ PKI_DIR=/etc/kubernetes/pki
$ K8S_DIR=/etc/kubernetes
$ kubectl config set-cluster kubernetes \
--certificate-authority=/etc/kubernetes/pki/ca.pem \
--embed-certs=true \
--server=https://188.188.4.140:8443 \
--kubeconfig=${K8S_DIR}/kube-proxy.kubeconfig
$ kubectl config set-credentials kubernetes \
--token=${JWT_TOKEN} \
--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig
$ kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=kubernetes \
--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig
$ kubectl config use-context kubernetes \
--kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig
|
2)将 kuberconfig 发至其他节点
| $ for NODE in k8sm02-4142-pts k8sm03-4143-pts; do
scp /etc/kubernetes/kube-proxy.kubeconfig $NODE:/etc/kubernetes/kube-proxy.kubeconfig
done
$ for NODE in k8sn01-4144-pts k8sn02-4145-pts; do
scp /etc/kubernetes/kube-proxy.kubeconfig $NODE:/etc/kubernetes/kube-proxy.kubeconfig
done
|
3)所有节点添加 kube-proxy 的配置和 service 文件
| $ vim /usr/lib/systemd/system/kube-proxy.service
[Unit]
Description=Kubernetes Kube Proxy
Documentation=https://github.com/kubernetes/kubernetes
After=network.target
[Service]
ExecStart=/usr/local/bin/kube-proxy \
--config=/etc/kubernetes/kube-proxy.yaml \
--v=2
Restart=always
RestartSec=10s
[Install]
WantedBy=multi-user.target
|
| $ vim /etc/kubernetes/kube-proxy.yaml
apiVersion: kubeproxy.config.k8s.io/v1alpha1
bindAddress: 0.0.0.0
clientConnection:
acceptContentTypes: ""
burst: 10
contentType: application/vnd.kubernetes.protobuf
kubeconfig: /etc/kubernetes/kube-proxy.kubeconfig
qps: 5
clusterCIDR: 172.16.0.0/12
configSyncPeriod: 15m0s
conntrack:
max: null
maxPerCore: 32768
min: 131072
tcpCloseWaitTimeout: 1h0m0s
tcpEstablishedTimeout: 24h0m0s
enableProfiling: false
healthzBindAddress: 0.0.0.0:10256
hostnameOverride: ""
iptables:
masqueradeAll: false
masqueradeBit: 14
minSyncPeriod: 0s
syncPeriod: 30s
ipvs:
masqueradeAll: true
minSyncPeriod: 5s
scheduler: "rr"
syncPeriod: 30s
kind: KubeProxyConfiguration
metricsBindAddress: 127.0.0.1:10249
mode: "ipvs"
nodePortAddresses: null
oomScoreAdj: -999
portRange: ""
udpIdleTimeout: 250ms
|
所有节点启动 kube-proxy
| $ systemctl daemon-reload && systemctl enable --now kube-proxy
$ systemctl status kube-proxy
|
九. Calico
Master01 节点执行即可
安装前请参考安装要求,根据数据存储和节点数量,选择参数文件来安装 Calico
1)下载程序文件
| # 最新版本
$ curl https://projectcalico.docs.tigera.io/manifests/calico.yaml -O
$ curl https://projectcalico.docs.tigera.io/manifests/calico-typha.yaml -o calico.yaml
$ curl https://projectcalico.docs.tigera.io/manifests/calico-etcd.yaml -o calico.yaml
# 选择推荐版本
$ curl https://projectcalico.docs.tigera.io/archive/v3.23/manifests/calico.yaml -O
$ curl https://projectcalico.docs.tigera.io/archive/v3.23/manifests/calico-typha.yaml -o calico.yaml
$ curl https://projectcalico.docs.tigera.io/archive/v3.23/manifests/calico-etcd.yaml -o calico.yaml
|
2)根据节点及需求选择版本安装
| $ curl https://projectcalico.docs.tigera.io/archive/v3.23/manifests/calico-typha.yaml -o calico.yaml
$ POD_SUBNET="172.16.0.0/12"
$ sed -i 's@# - name: CALICO_IPV4POOL_CIDR@- name: CALICO_IPV4POOL_CIDR@g; s@# value: "192.168.0.0/16"@ value: '"${POD_SUBNET}"'@g' calico.yaml
$ grep "IPV4POOL_CIDR" calico.yaml -A 1
- name: CALICO_IPV4POOL_CIDR
value: "172.16.0.0/12"
$ kubectl apply -f calico.yaml
configmap/calico-config created
customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/caliconodestatuses.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipreservations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/kubecontrollersconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created
clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrole.rbac.authorization.k8s.io/calico-node created
clusterrolebinding.rbac.authorization.k8s.io/calico-node created
service/calico-typha created
deployment.apps/calico-typha created
Warning: policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+; use policy/v1 PodDisruptionBudget
poddisruptionbudget.policy/calico-typha created
daemonset.apps/calico-node created
serviceaccount/calico-node created
deployment.apps/calico-kube-controllers created
serviceaccount/calico-kube-controllers created
poddisruptionbudget.policy/calico-kube-controllers created
$ kubectl get po -n kube-system
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-75f9f667-lq7g6 1/1 Running 0 110s
calico-node-bhdcc 1/1 Running 0 110s
calico-node-c5drh 1/1 Running 0 110s
calico-node-d9k6f 1/1 Running 0 110s
calico-node-dqfrw 1/1 Running 0 110s
calico-node-vjpc8 1/1 Running 0 110s
calico-typha-6ff7d69c7f-4l85l 1/1 Running 0 110s
$ crictl pods
POD ID CREATED STATE NAME NAMESPACE ATTEMPT RUNTIME
a4b9cf3836b68 About a minute ago Ready calico-kube-controllers-75f9f667-lq7g6 kube-system 0 (default)
dd1ad0d486726 About a minute ago Ready calico-node-vjpc8 kube-system 0 (default)
$ crictl images
IMAGE TAG IMAGE ID SIZE
registry.cn-hangzhou.aliyuncs.com/google_containers/pause 3.6 6270bb605e12e 302kB
registry.cn-hongkong.aliyuncs.com/yuikuen/cni v3.23.3 f0c59ea5f2652 108MB
registry.cn-hongkong.aliyuncs.com/yuikuen/kube-controllers v3.23.3 a47d709fe3a65 53.8MB
registry.cn-hongkong.aliyuncs.com/yuikuen/node v3.23.3 5f5175f39b19e 73.5MB
|
| $ curl https://projectcalico.docs.tigera.io/archive/v3.23/manifests/calico-etcd.yaml -o calico.yaml
$ sed -i 's#etcd_endpoints: "http://<ETCD_IP>:<ETCD_PORT>"#etcd_endpoints: "https://188.188.4.141:2379,https://188.188.4.142:2379,https://188.188.4.143:2379"#g' calico-etcd.yaml
$ ETCD_CA=`cat /etc/kubernetes/pki/etcd/etcd-ca.pem | base64 | tr -d '\n'`
$ ETCD_CERT=`cat /etc/kubernetes/pki/etcd/etcd.pem | base64 | tr -d '\n'`
$ ETCD_KEY=`cat /etc/kubernetes/pki/etcd/etcd-key.pem | base64 | tr -d '\n'`
$ sed -i "s@# etcd-key: null@etcd-key: ${ETCD_KEY}@g; s@# etcd-cert: null@etcd-cert: ${ETCD_CERT}@g; s@# etcd-ca: null@etcd-ca: ${ETCD_CA}@g" calico-etcd.yaml
$ sed -i 's#etcd_ca: ""#etcd_ca: "/calico-secrets/etcd-ca"#g; s#etcd_cert: ""#etcd_cert: "/calico-secrets/etcd-cert"#g; s#etcd_key: "" #etcd_key: "/calico-secrets/etcd-key" #g' calico-etcd.yaml
$ POD_SUBNET="172.16.0.0/12"
$ sed -i 's@# - name: CALICO_IPV4POOL_CIDR@- name: CALICO_IPV4POOL_CIDR@g; s@# value: "192.168.0.0/16"@ value: '"${POD_SUBNET}"'@g' calico-etcd.yaml
$ kubectl apply -f calico.yaml
$ kubectl get po -n kube-system
|
注:如果容器状态异常可以使用 kubectl describe 或者 kubectl logs 查看容器的日志
十. CoreDNS
安装前请参考 CoreDNS GitHub 版本介绍和 yaml 示例文件/1.86 yaml示例文件
| # 注意示例文件已提前修改过内容,主要修改REVERSE_CIDRS、DNS_DOMAIN、CLUSTER_DNS_IP等变量为实际值
$ cd /root/k8s-install/CoreDNS
$ COREDNS_SERVICE_IP=`kubectl get svc | grep kubernetes | awk '{print $3}'`0
$ echo $COREDNS_SERVICE_IP
10.96.0.10
$ sed -i "s#CLUSTER_DNS_IP#${COREDNS_SERVICE_IP}#g" coredns.yaml
$ grep "clusterIP" coredns.yaml
clusterIP: 10.96.0.10
$ kubectl create -f coredns.yaml
serviceaccount/coredns created
clusterrole.rbac.authorization.k8s.io/system:coredns created
clusterrolebinding.rbac.authorization.k8s.io/system:coredns created
configmap/coredns created
deployment.apps/coredns created
service/kube-dns created
$ kubectl get po -n kube-system -l k8s-app=kube-dns
NAME READY STATUS RESTARTS AGE
coredns-5db5696c7-cj577 1/1 Running 0 14s
|
最新版本未经测试,建议选用推荐版本,具体更新如下图所示
| $ COREDNS_SERVICE_IP=`kubectl get svc | grep kubernetes | awk '{print $3}'`0
$ echo $COREDNS_SERVICE_IP
10.96.0.10
$ git clone https://github.com/coredns/deployment.git
$ cd deployment/kubernetes
$ ./deploy.sh -s -i ${COREDNS_SERVICE_IP} | kubectl apply -f -
$ kubectl get po -n kube-system -l k8s-app=kube-dns
|
十一. Metrics Server
在新版的 Kubernetes 中系统资源的采集均使用 Metrics-server,可以通过 Metrics 采集节点和 Pod 的内存、磁盘、CPU 和网络的使用率
安装前可查看 官方 GitHub 版本兼容是否合适
| Metrics Server |
Metrics API group/version |
Supported Kubernetes version |
| 0.6.x |
metrics.k8s.io/v1beta1 |
1.19+ |
| 0.5.x |
metrics.k8s.io/v1beta1 |
*1.8+ |
| 0.4.x |
metrics.k8s.io/v1beta1 |
*1.8+ |
| 0.3.x |
metrics.k8s.io/v1beta1 |
1.8-1.21 |
注:提前下载镜像并修改镜像地址信息和添加证书认证,否则无法下载到镜像
| $ wget https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.6.1/components.yaml
# 添加证书验证并修改证书
# nu:129~137
spec:
containers:
- args:
- --cert-dir=/tmp
- --secure-port=4443
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-use-node-status-port
- --metric-resolution=15s
# 添加证书认证内容,参考'配置聚合层',并修改镜像地址
- --kubelet-insecure-tls
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.pem # change to front-proxy-ca.crt for kubeadm
- --requestheader-username-headers=X-Remote-User
- --requestheader-group-headers=X-Remote-Group
- --requestheader-extra-headers-prefix=X-Remote-Extra-
image: registry.cn-hongkong.aliyuncs.com/yuikuen/metrics-server:v0.6.1
# nu:167~176
volumeMounts:
- mountPath: /tmp
name: tmp-dir
# 添加证书路径,进行hostPath挂载
- name: ca-ssl
mountPath: /etc/kubernetes/pki
nodeSelector:
kubernetes.io/os: linux
priorityClassName: system-cluster-critical
serviceAccountName: metrics-server
volumes:
- emptyDir: {}
name: tmp-dir
- name: ca-ssl
hostPath:
path: /etc/kubernetes/pki
$ kubectl create -f .
$ kubectl get po -n kube-system -l k8s-app=metrics-server
NAME READY STATUS RESTARTS AGE
metrics-server-589b87cf7c-p4dk6 1/1 Running 0 42s
|
同官方推荐操作方法一样,提前下载镜像并修改镜像地址信息和添加证书认证
| # 修改方法一样,不再详细说明
$ kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
$ kubectl create -f .
$ kubectl get po -n kube-system -l k8s-app=metrics-server
|
十二. Dashboard
Dashboard 用于展示集群中的各类资源,同时也可以实时查看 Pod 的日志和在容器中执行一些命令等
安装前请查看 Dashboard Releases 的版本介绍,保证与 K8s 的兼容
| Kubernetes version |
1.21 |
1.22 |
1.23 |
1.24 |
| Compatibility |
? |
? |
? |
✓ |
✓ Fully supported version range.? Due to breaking changes between Kubernetes API versions, some features might not work correctly in the Dashboard.
1)下载兼容的版本文件
| # 官方推荐版本
$ wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.6.0/aio/deploy/recommended.yaml
# 最新版本(不建议)
$ wget kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.6.1/aio/deploy/recommended.yaml
|
2)创建管理员的 Account 文件
| $ cat dashboard-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
license: 34C7357D6D1C641D4CA1E369E7244F61
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
|
3)浏览器访问(Chrome)需要添加启动参数,否则因安全问题无法访问
解决方法:浏览器快捷方式增加参数 --test-type --ignore-certificate-errors
4)更改 dashboard 的 svc 为 NodePort,暴露端口进行访问
| $ kubectl edit svc kubernetes-dashboard -n kubernetes-dashboard
ports:
- port: 443
protocol: TCP
targetPort: 8443
# 可自定义
nodePort: 30000
selector:
k8s-app: kubernetes-dashboard
sessionAffinity: None
# 将ClusterIP改为NodePort
type: NodePort
$ kubectl get po,svc -n kubernetes-dashboard
|
5)查看管理员的 token 值
| $ kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
|
