k8s系列-使用kubeadm部署k8s集群

发表于 | 分类于

K8S-部署

一.kubeadm简介

K8S基础相关概念后续介绍,先使用kubeadm搭建k8s集群

由于原生K8S部署方式过于复杂,被广大k8s用户用户诟病,所以推动了像kubeadm、kops、kubespray等等,虽然原生k8s部署复杂,所以先使用kubeadm进行k8s部署

kubeadm介绍

Kubeadm 是一个工具,它提供了 kubeadm init 以及 kubeadm join 这两个命令作为快速创建 kubernetes 集群的最佳实践

kubeadm能做什么

  • kubeadm init 启动一个 Kubernetes 主节点
  • kubeadm join 启动一个 Kubernetes 工作节点并且将其加入到集群
  • kubeadm upgrade 更新一个 Kubernetes 集群到新版本
  • kubeadm config 如果使用 v1.7.x 或者更低版本的 kubeadm 初始化集群,您需要对集群做一些配置以便使用 kubeadm upgrade 命令
  • kubeadm token 管理 kubeadm join 使用的令牌
  • kubeadm reset 还原 kubeadm init 或者 kubeadm join 对主机所做的任何更改
  • kubeadm version 打印 kubeadm 版本
  • kubeadm alpha 预览一组可用的新功能以便从社区搜集反馈

kubeadm大大简化部署kubernetes的准备工作,尤其是配置文件,证书等的生成和制作

二.部署前的准备

多台主机hostname一定要不一样,我这里centos7使用 hostnamectl set-hostname 命令进行设置
这里我使用的是centos7,内核版本3.10.xxx,桥接网卡模式,配置静态IP
1.节点主机要求

  • 每台机器 2 GB 以上的内存,内存不足时应用会受限制
  • 主节点上 2 CPU 以上
  • 集群里所有的机器有完全的网络连接,公有网络或者私有网络都可以

1.先关闭和禁用防火墙等

为了两台主机能够互通,先关闭防火墙

1
2
3
systemctl stop firewalld

systemctl disable firewalld

禁用SELINUX

1
setenforce 0

创建 /etc/sysctl.d/k8s.conf 文件,添加如下内容

1
2
3
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1

执行下面的命令使修改生效

1
2
modprobe br_netfilter
sysctl -p /etc/sysctl.d/k8s.conf

2.安装Docker

使用如下命令安装,我安装的是k8s v1.13.x,最高支持docker-ce 18.06 为了没有警告,我安装的是docker-ce 18.06版本

1
2
3
4
5
6
7
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
sudo yum makecache fast
sudo yum -y install docker-ce

sudo service docker start
sudo systemctl enable docker

可以使用 (yum list docker-ce –showduplicates|sort -r) 查看docker-ce列表,使用( yum install docker-ce-xxxversion )进行安装制定版本docker,v1.13最高docker-ce 18.06
配置阿里云镜像加速器

1
2
3
4
5
6
7
8
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
  "registry-mirrors": ["https://70z1fz9s.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker

3.安装kubeadm kubectl kubelet

执行如下命令

1
2
3
4
5
6
7
8
9
10
11
12
13
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

yum install -y kubelet kubeadm kubectl

systemctl enable kubelet && systemctl start kubelet

4.关闭交换分区

k8s从1.8开始要求系统关闭交换分区,否则默认配置的kubelet无法启动
编辑 /etc/fstab ,注释有swap的那一行
用于永久禁用swap,并且使用下面的命令

1
sudo swapoff -a

5.kubeadm执行初始化,部署Master节点

初始化Master节点

1
kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=192.168.50.231 --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.13.4
  • –pod-network-cidr :后续安装 flannel 的前提条件,且值为 10.244.0.0/16
  • –apiserver-advertise-address :Master 节点的 IP 地址
  • –image-repository registry.aliyuncs.com/google_containers 指定镜像下载地址,Kubenetes默认Registries地址是k8s.gcr.io,很明显,在国内并不能访问gcr.io,因此在kubeadm v1.13之前的版本,安装起来非常麻烦,但是在1.13版本中终于解决了国内的痛点,其增加了一个–image-repository参数,默认值是k8s.gcr.io,我们将其指定为国内镜像地址:registry.aliyuncs.com/google_containers,其它的就可以完全按照官方文档来愉快的玩耍了。

日志输出如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
[init] Using Kubernetes version: v1.13.2
[preflight] Running pre-flight checks
[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 18.09.3. Latest validated version: 18.06
error execution phase preflight: [preflight] Some fatal errors occurred:
[ERROR Swap]: running with swap on is not supported. Please disable swap
[preflight] If you know what you are doing, you can make a check non-fatal with `--ignore-preflight-errors=...`
[root@localhost ~]# kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=192.168.50.231 --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.13.3
[init] Using Kubernetes version: v1.13.3
[preflight] Running pre-flight checks
[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 18.09.3. Latest validated version: 18.06
error execution phase preflight: [preflight] Some fatal errors occurred:
[ERROR Swap]: running with swap on is not supported. Please disable swap
[preflight] If you know what you are doing, you can make a check non-fatal with `--ignore-preflight-errors=...`
[root@localhost ~]# swapoff -a
[root@localhost ~]# kubeadm init --pod-network-cidr=10.244.0.0/16 --apiserver-advertise-address=192.168.50.231 --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.13.3
[init] Using Kubernetes version: v1.13.3
[preflight] Running pre-flight checks
[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 18.09.3. Latest validated version: 18.06
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Activating the kubelet service
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [localhost.localdomain kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.50.231]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [localhost.localdomain localhost] and IPs [192.168.50.231 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [localhost.localdomain localhost] and IPs [192.168.50.231 127.0.0.1 ::1]
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 19.003499 seconds
[uploadconfig] storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.13" in namespace kube-system with the configuration for the kubelets in the cluster
[patchnode] Uploading the CRI Socket information "/var/run/dockershim.sock" to the Node API object "localhost.localdomain" as an annotation
[mark-control-plane] Marking the node localhost.localdomain as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node localhost.localdomain as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[bootstrap-token] Using token: iawrnt.h638e985j2cfqj2j
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstraptoken] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstraptoken] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstraptoken] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstraptoken] creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy

Your Kubernetes master has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of machines by running the following on each node
as root:

  kubeadm join 192.168.50.231:6443 --token iawrnt.h638e985j2cfqj2j --discovery-token-ca-cert-hash sha256:a7f92abb72e4028c214cf5290bb623049235307b39f74af186d11b3f06897e88

从下方日志看到,如果要运行集群必须执行下面的命令,拷出来执行一下

1
2
3
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

执行完部署并没有结束,你可以看到日志上写到:你应该部署一个在集群中部署一个网络容器,使用kubectl apply -f xxx.yaml,可以从网络插件列表多个中选择一个,下面我还是用flannel进行演示

访问flannel的github,从README.md中看到For Kubernetes v1.7+

1
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

至此master节点部署结束,使用如下命令查看集群节点信息

1
2
3
4
kubectl get nodes

NAME                    STATUS   ROLES    AGE   VERSION
localhost.localdomain   Ready    master   38m   v1.13.4

使用如下命令,查看pod

1
2
3
4
5
6
7
8
9
10
11
kubectl get pods --all-namespaces

NAMESPACE     NAME                                            READY   STATUS    RESTARTS   AGE
kube-system   coredns-78d4cf999f-s74hn                        1/1     Running   0          37m
kube-system   coredns-78d4cf999f-whfsj                        1/1     Running   0          37m
kube-system   etcd-localhost.localdomain                      1/1     Running   1          36m
kube-system   kube-apiserver-localhost.localdomain            1/1     Running   1          37m
kube-system   kube-controller-manager-localhost.localdomain   1/1     Running   2          37m
kube-system   kube-flannel-ds-amd64-mw6nl                     1/1     Running   0          36m
kube-system   kube-proxy-qsx4g                                1/1     Running   1          37m
kube-system   kube-scheduler-localhost.localdomain            1/1     Running   2          36m

提示:如果使用上面的命令发现节点的STATUS是NotReady,pod列表中kube-flannel-ds-amd64-mw6nl这些pod的STATUS还不是Running,可能需要等待一下,因为我在安装的时候就发现flannel所需的几个镜像拉到本地的过程有点慢

如果集群安装过程中还出现什么问题可以google,百度等,也可以加WX一起探讨下 Z3pyMTE5MTQ2NTA5Nw== (BASE64)…也可以使用如下命令重置

1
2
3
4
5
kubeadm reset

rm -rf /var/lib/cni/

rm -f $HOME/.kube/config

6.部署Worker节点

在准备好的第二台Centos7主机上部署Worker节点
执行上面的1 2 3 4 步骤

完成之后还记得上面日志中最后输出的kubectl join命令吗,执行上面输出的命令,让Worker加入Cluster

1
kubeadm join 192.168.50.231:6443 --token iawrnt.h638e985j2cfqj2j --discovery-token-ca-cert-hash sha256:a7f92abb72e4028c214cf5290bb623049235307b39f74af186d11b3f06897e88

执行之后输出如下日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[preflight] Running pre-flight checks
[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 18.09.3. Latest validated version: 18.06
[discovery] Trying to connect to API Server "192.168.50.231:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://192.168.50.231:6443"
[discovery] Requesting info from "https://192.168.50.231:6443" again to validate TLS against the pinned public key
[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "192.168.50.231:6443"
[discovery] Successfully established connection with API Server "192.168.50.231:6443"
[join] Reading configuration from the cluster...
[join] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet] Downloading configuration for the kubelet from the "kubelet-config-1.13" ConfigMap in the kube-system namespace
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Activating the kubelet service
[tlsbootstrap] Waiting for the kubelet to perform the TLS Bootstrap...
[patchnode] Uploading the CRI Socket information "/var/run/dockershim.sock" to the Node API object "localhost.localdomain" as an annotation

This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.

Run 'kubectl get nodes' on the master to see this node join the cluster.

在主节点上执行如下命令可以看到worker的加入

1
2
3
4
[root@localhost ~]# kubectl get nodes
NAME                    STATUS   ROLES    AGE   VERSION
localhost.localdomain   Ready    master   24h   v1.13.4
node235                 Ready    <none>   14h   v1.13.4

提示:token是有有效期的,默认24小时,如果超过这个明明就不能执行成功,必须在master上重新生成token

7.查看token和重新生成token

node节点join格式为

1
kubeadm join --token <token> <master-ip>:<master-port> --discovery-token-ca-cert-hash sha256:<hash>
1
2
3
4
5
6
7
8
9
10
11
12
#执行如下命令可以查看到token的列表
kubeadm token list
#在主节点上执行如下命令重新生成token
kubeadm token create



#如果没有--discovery-token-ca-cert-hash了,执行下面的命令生成
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'

#输出
caa063badcb4ffd5f7e1ce5e8a8f2dba3f65bcf8c4e7ccf70fa9da99f0946e39

8.安装部署dashboard

部署dashboard,因为这又是一个google镜像仓库的镜像,没办法,只能从阿里云镜像仓库先拉下来再改一下tag,曲线救国

1
2
docker pull registry.cn-hangzhou.aliyuncs.com/kuberneters/kubernetes-dashboard-amd64:v1.10.1
docker tag f9aed6605b81 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

接下来执行如下命令部署dashboard的pod

1
kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml

可使用如下命令查看部署好的pod -n是制定namespace

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@localhost ~]# kubectl get pods -n kube-system
NAME                                            READY   STATUS    RESTARTS   AGE
coredns-78d4cf999f-m6nlv                        1/1     Running   1          24h
coredns-78d4cf999f-zzvss                        1/1     Running   1          24h
etcd-localhost.localdomain                      1/1     Running   1          14h
kube-apiserver-localhost.localdomain            1/1     Running   1          14h
kube-controller-manager-localhost.localdomain   1/1     Running   1          14h
kube-flannel-ds-amd64-dr7br                     1/1     Running   0          14h
kube-flannel-ds-amd64-fcb8j                     1/1     Running   2          24h
kube-proxy-kfnfd                                1/1     Running   1          24h
kube-proxy-xc9r6                                1/1     Running   0          14h
kube-scheduler-localhost.localdomain            1/1     Running   1          14h
kubernetes-dashboard-57df4db6b-d7npf            1/1     Running   0          10h

需要注意的是,dashboard是一个web server,很多人无意中在公有云暴露了dashboard的端口,造成安全隐患,所以在1.7以后的dashboard默认只能通过proxy在本地访问,集群外部访问需要用到ingress