在ubuntu上通过kubeadm部署K8S(v1.13.4)高可用集群
所有节点全程采用root用户操作。centos用yum安装,ubuntu用apt-get安装。
- 环境准备:
- CPU需2核以上
虚拟机或服务器的master节点CPU需2核以上,可通过下述命令查看:
cat /proc/cpuinfo 查看cpu cores的个数
- 时间同步
apt-get install -y ntpdate
ntpdate -u ntp.api.bz
- 系统配置修改
禁用swap
swapoff -a
同时把/etc/fstab包含swap那行记录删掉。
关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
禁用Selinux
apt install selinux-utils
setenforce 0
- 节点规划
主机名 IP&Role
10.30.28.181 ubuntu1804-k8-m1 etcd、Master、keepalived
10.30.28.182 ubuntu1804-k8-m2 etcd、Master、keepalived
10.30.28.183 ubuntu1804-k8-m3 etcd、Master、keepalived
10.30.28.184 ubuntu1804-k8-s1 Node
10.30.28.185 ubuntu1804-k8-s2 Node
10.30.28.250 cluster.kube.com VIP
所有节点主机名和IP加入/etc/hosts解析
vim /etc/hosts 加入以下内容:
10.30.28.181 ubuntu1804-k8-m1
10.30.28.182 ubuntu1804-k8-m2
10.30.28.183 ubuntu1804-k8-m3
10.30.28.184 ubuntu1804-k8-s1
10.30.28.185 ubuntu1804-k8-s2
10.30.28.250 cluster.kube.com
- 所有机器安装DOCKER
apt install docker.io
systemctl enable docker.service
- 设置国内下载源
修改apt的源,采用vim /etc/apt/sources.list命令修改替换:
deb http://mirrors.aliyun.com/ubuntu bionic main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu bionic-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu bionic-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu bionic-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu bionic-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu bionic main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu bionic-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu bionic-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu bionic-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu bionic-backports main restricted universe multiverse
修改kubernetes的源:
curl -fsSL https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://mirrors.aliyun.com/kubernetes/apt/ kubernetes-xenial main
EOF
apt-get update
- 准备镜像安装 kubeadm、kubect、kubeet
apt-get install -y kubelet=1.13.4-00 kubeadm=1.13.4-00 kubectl=1.13.4-00
- 清单:
K8s master 端:
docker pull mirrorgooglecontainers/kube-apiserver:v1.13.4
docker pull mirrorgooglecontainers/kube-controller-manager:v1.13.4
docker pull mirrorgooglecontainers/kube-scheduler:v1.13.4
docker pull mirrorgooglecontainers/kube-proxy:v1.13.4
docker pull mirrorgooglecontainers/pause:3.1
docker pull mirrorgooglecontainers/etcd:3.2.24
docker pull coredns/coredns:1.2.6
docker tag mirrorgooglecontainers/kube-proxy:v1.13.4 k8s.gcr.io/kube-proxy:v1.13.4
docker tag mirrorgooglecontainers/kube-scheduler:v1.13.4 k8s.gcr.io/kube-scheduler:v1.13.4
docker tag mirrorgooglecontainers/kube-apiserver:v1.13.4 k8s.gcr.io/kube-apiserver:v1.13.4
docker tag mirrorgooglecontainers/kube-controller-manager:v1.13.4 k8s.gcr.io/kube-controller-manager:v1.13.4
docker tag mirrorgooglecontainers/etcd:3.2.24 k8s.gcr.io/etcd:3.2.24
docker tag coredns/coredns:1.2.6 k8s.gcr.io/coredns:1.2.6
docker tag mirrorgooglecontainers/pause:3.1 k8s.gcr.io/pause:3.1
docker rmi mirrorgooglecontainers/kube-apiserver:v1.13.4
docker rmi mirrorgooglecontainers/kube-controller-manager:v1.13.4
docker rmi mirrorgooglecontainers/kube-scheduler:v1.13.4
docker rmi mirrorgooglecontainers/kube-proxy:v1.13.4
docker rmi mirrorgooglecontainers/pause:3.1
docker rmi mirrorgooglecontainers/etcd:3.2.24
docker rmi coredns/coredns:1.2.6
K8s node端:
Node端需要下载的镜像
docker pull mirrorgooglecontainers/kube-proxy:v1.13.4
docker pull mirrorgooglecontainers/pause:3.1
docker pull coredns/coredns:1.2.6
docker tag mirrorgooglecontainers/kube-proxy:v1.13.4 k8s.gcr.io/kube-proxy:v1.13.4
docker tag coredns/coredns:1.2.6 k8s.gcr.io/coredns:1.2.6
docker tag mirrorgooglecontainers/pause:3.1 k8s.gcr.io/pause:3.1
docker rmi mirrorgooglecontainers/kube-proxy:v1.13.4
docker rmi mirrorgooglecontainers/pause:3.1
docker rmi coredns/coredns:1.2.6
- 安装K8S集群
- 安装haproxy和keepaived
在三台master上安装keepalived,三台配置略有差异,根据备注自己修改
apt-get install -y keepalived
[[email protected]] ~$ vim /etc/keepalived/keepalived.conf
vrrp_instance VI_1 {
state MASTER #备服务器上改为BACKUP
interface ens160 #改为自己的接口
virtual_router_id 51
priority 100 #备服务器上改为小于100的数字,90,80
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
virtual_ipaddress {
10.30.28.250 #虚拟ip,自己设定
}
}
#启动
systemctl enable keepalived && systemctl start keepalived
#查看虚拟ip是不是在master1上,关闭master1的keepalived服务,测试下vip是否漂移到其他机器
ip a
- 安装haproxy
三台master上配置一样
apt-get install -y haproxy
vim /etc/haproxy/haproxy.cfg
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
defaults
mode tcp
log global
retries 3
timeout connect 10s
timeout client 1m
timeout server 1m
frontend kubernetes
bind *:8443
mode tcp
default_backend kubernetes-master
backend kubernetes-master
balance roundrobin
server master1 10.30.28.181:6443 check maxconn 2000
server master2 10.30.28.182:6443 check maxconn 2000
server master3 10.30.28.183:6443 check maxconn 2000
#启动
systemctl enable haproxy && systemctl start haproxy
- 初始化master1
vim kubeadm-config.yaml创建集群配置文件:
apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
kubernetesVersion: v1.13.4
apiServer:
certSANs:
- "10.30.28.181"
- "10.30.28.182"
- "10.30.28.183"
- "10.30.28.250"
controlPlaneEndpoint: "10.30.28.250:8443"
networking:
podSubnet: "10.244.0.0/16"
注意controlPlaneEndpoint前面的空格要删除,否则会出现解析JSON错误。
然后执行命令:sudo kubeadm init --config=kubeadm-config.yaml
一切正常后执行如下命令:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
若在执行kubectl 命令出现错误,可试着试入以下命令:
export KUBECONFIG=/etc/kubernetes/admin.conf
- 安装flannel网络:
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/a70459be0084506e4ec919aa1c114638878db11b/Documentation/kube-flannel.yaml
上面这一步需要耐心等待,因为要下载镜像,有点慢,需要通过运行kubectl get nodes确保节点是ready状态。通过下面的命令确保所有pod都是running。
kubectl get pod -n kube-system -w
- 把证书文件从MASTER1拷贝到MASTER2和MASTER3
MASTER1上执行:
USER=user1 # customizable
CONTROL_PLANE_IPS="10.30.28.182 10.30.28.183"
for host in ${CONTROL_PLANE_IPS}; do
scp /etc/kubernetes/pki/ca.crt "${USER}"@$host:
scp /etc/kubernetes/pki/ca.key "${USER}"@$host:
scp /etc/kubernetes/pki/sa.key "${USER}"@$host:
scp /etc/kubernetes/pki/sa.pub "${USER}"@$host:
scp /etc/kubernetes/pki/front-proxy-ca.crt "${USER}"@$host:
scp /etc/kubernetes/pki/front-proxy-ca.key "${USER}"@$host:
scp /etc/kubernetes/pki/etcd/ca.crt "${USER}"@$host:etcd-ca.crt
scp /etc/kubernetes/pki/etcd/ca.key "${USER}"@$host:etcd-ca.key
scp /etc/kubernetes/admin.conf "${USER}"@$host:
done
Master2 和MASTER3上执行:
USER=user1 # customizable
mkdir -p /etc/kubernetes/pki/etcd
mv /home/${USER}/ca.crt /etc/kubernetes/pki/
mv /home/${USER}/ca.key /etc/kubernetes/pki/
mv /home/${USER}/sa.pub /etc/kubernetes/pki/
mv /home/${USER}/sa.key /etc/kubernetes/pki/
mv /home/${USER}/front-proxy-ca.crt /etc/kubernetes/pki/
mv /home/${USER}/front-proxy-ca.key /etc/kubernetes/pki/
mv /home/${USER}/etcd-ca.crt /etc/kubernetes/pki/etcd/ca.crt
mv /home/${USER}/etcd-ca.key /etc/kubernetes/pki/etcd/ca.key
mv /home/${USER}/admin.conf /etc/kubernetes/admin.conf
- 在MASTER2和MASTER3节点上加入前面创建的高可用集群
kubeadm join 10.30.28.250:8443 --token maur7r.vw6zi46pkketqto7 --discovery-token-ca-cert-hash sha256:154ff71167ad3aa55740ec1f42696f8dbd3ab7247e910e7f8b95e05ece04293f --experimental-control-plane
注意:由于是以MASTER角色加入集群,需要加上--experimental-control-plane标记。另若有http_proxy 外网代理(如设置vim /etc/profile),需要先去除。
- 其它node节点加入集群
kubeadm join 10.30.28.250:8443 --token maur7r.vw6zi46pkketqto7 --discovery-token-ca-cert-hash sha256:154ff71167ad3aa55740ec1f42696f8dbd3ab7247e910e7f8b95e05ece04293f
- 有些虚机节点若不能上外网,可以采用拷贝另一可上外网虚机上的镜像
你需将doctor镜像保存为tar文件:docker save -o <save image to path> <image name>
然后使用常规文件传输工具(如cp或如scp flannel [email protected]:/home/supcon)将镜像复制到新系统。之后,你可以将镜像加载到docker中:
docker load -i <path to image tar file>
- 最终效果
kubectl get nodes都是ready;所有pod都是running(kubectl get pod --all-namespaces)。
- 安装dashboard
1)在worker node中安装以下镜像
docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
docker tag mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1
docker rmi mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1
2)执行如下命令进行部署
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml
3)稍等一会,pod创建好后,查看服务状态
4)授予Dashboard账户集群管理权限
用VIM创建admin-user.yaml文件,
内容如下:
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
# Create ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
然后执行如下命令:kubectl apply -f admin-user.yaml
5)找到admin-user的token,记下这串token,等下登录的时候会使用,这个token默认是永久的。
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')
6)Service 目前是 ClusterIP 类型,为了可以从集群外部访问,可以将服务修改成 NodePort 类型。
#也可以用一条命令来执行: kubectl patch svc kubernetes-dashboard -p '{"spec":{"type":"NodePort"}}' -n kube-system
7)输入https://10.30.28.181:32717后即可看到登录界面,采用token登录,输入第5步中出现的token即可进入如下界面。
- 验证集群
可以执行kubectl run nginx --replicas=2 --labels="run=load-balancer-example" --image=nginx --port=80
后查看是否成功创建两个nginx的POD
- 出现的问题
- 执行docker pull时曾出现类似以下的错误
Error response from daemon: Get https://registry-1.docker.io/v2/: remote error: tls: handshake failure
可能是由于网络代理后tls有问题,通过将docker的源设置成http的源,而不是https的来绕过该问题:
可以采用将/etc/docker/daemon.json设置http的镜像源,还不是https。
{
"registry-mirrors": [
"http://hub-mirror.c.163.com"
],
"dns": ["8.8.8.8","8.8.4.4"]
}
另,单独给docker设置代理:
Create a systemd drop-in directory for the docker service:
$ sudo mkdir -p /etc/systemd/system/docker.service.d
Create a file called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the HTTP_PROXY environment variable:
[Service]Environment="HTTP_PROXY=http://proxy.example.com:80/"
Or, if you are behind an HTTPS proxy server, create a file called/etc/systemd/system/docker.service.d/https-proxy.conf that adds the HTTPS_PROXY environment variable:
[Service]Environment="HTTPS_PROXY=https://proxy.example.com:443/"
- MASTER1上每次通过xshell进入都要重新设置KUBECONFIG的问题
曾出现MASTER1上每次通过xshell进入都要重新设置KUBECONFIG的问题,原因是/root/.kube下的config配置是错的,可以把该config文件删除,然后重新执行以下命令即可:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
- keepalived服务失效,IP漂移后无法ping通,出现如下错误:
Keepalived_vrrp[1216]: Unable to load ipset library - libipset.so.3: cannot open shared object file:
可以通过以下命令解决:apt-get install ipset
- vip无法ping通
keepalived.conf中vip配置好后,通过ip addr可以看到vip已经顺利挂载,但是无法ping通,并且防火墙都已关闭,原因是/etc/keepalived/keepalived.conf配置中默认vrrp_strict打开了,需要把它注释掉。重启keepalived即可ping通。 - 安装flannel网络组件时出现过Unable to connect to the server: x509: certificate signed by unknown authority的错误,如下:
解决方法:先用curl https://raw.githubusercontent.com/coreos/flannel/a70459be0084506e4ec919aa1c114638878db11b/Documentation/kube-flannel.yaml手工把kube-flannel.yaml下载来来,然后执行kubectl apply -f kube-flannel.yaml即可。(有时候会出现下载不下来的情况,返回404: Not Found)