1、環境規劃
2、安裝Docker
3、自籤TLS證書
4、部署Etcd集羣
5、部署Flannel網絡
6、創建Node節點kubeconfig文件
7、獲取K8S二進制包
8、運行Master組件
9、運行Node組件
10、查詢集羣狀態
11、啓動一個測試示例
12、部署Web UI (Dashboard)
**1.環境規劃**
角色 IP 組件
master 192.168.200.101 kube-apiserver
kube-controller-manager
kube-scheduler
etcd
node01 192.168.200.102 kubelet
kube-proxy
docker
flannel
etcd
node02 192.168.200.103 kubelet
kube-proxy
docker
flannel
etcd
2.安裝docker
在master/node01/node02操作:
yum install -y yum-utils device-mapper-persistent-data lvm2 yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo yum install docker-ce cat <<EOF > /etc/docker/daemon.json { "registry-mirrors": [ "https://registry.docker-cn.com"],"insecure-registries":["192.168.200.101:5000"] } EOF systemctl start docker systemctl enable docker
3.自籤TLS證書
組件 使用的證書
etcd ca.pem,server.pem,server-key.pem
flannel ca.pem,server.pem,server-key.pem
kube-apiserver ca.pem,server.pem,server-key.pem
kubelet ca.pem,ca-key.pem
kube-proxy ca.pem,kube-proxy.pem,kube-proxy-key.pem
kubectl ca.pem,admin.pem,admin-key.pem
master操作:
安裝證書生成工具 cfssl :
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64 mv cfssl_linux-amd64 /usr/local/bin/cfssl mv cfssljson_linux-amd64 /usr/local/bin/cfssljson mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
生成證書
使用腳本生成:cat certificate.sh
cat > ca-config.json <<EOF { "signing": { "default": { "expiry": "87600h" }, "profiles": { "kubernetes": { "expiry": "87600h", "usages": [ "signing", "key encipherment", "server auth", "client auth" ] } } } } EOF cat > ca-csr.json <<EOF { "CN": "kubernetes", "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "Beijing", "ST": "Beijing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -initca ca-csr.json | cfssljson -bare ca - #----------------------- cat > server-csr.json <<EOF { "CN": "kubernetes", "hosts": [ "127.0.0.1", "192.168.200.101", "192.168.200.102", "192.168.200.103", "10.10.10.1", "kubernetes", "kubernetes.default", "kubernetes.default.svc", "kubernetes.default.svc.cluster", "kubernetes.default.svc.cluster.local" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server #----------------------- cat > admin-csr.json <<EOF { "CN": "admin", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "system:masters", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes admin-csr.json | cfssljson -bare admin #----------------------- cat > kube-proxy-csr.json <<EOF { "CN": "system:kube-proxy", "hosts": [], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "L": "BeiJing", "ST": "BeiJing", "O": "k8s", "OU": "System" } ] } EOF cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
執行腳本:
sh certificate.sh
腳本執行成功會生成一批證書,創建ssl目錄存放生成的證書
mkdir -p /root/ssl
移動所有證書至/root/ssl
4.部署etcd集羣
master操作:
創建kubernets目錄:
mkdir -p /opt/kubernetes/{bin,cfg,ssl}
上傳etcd源碼包etcd-v3.2.12-linux-amd64.tar.gz
tar xf etcd-v3.2.12-linux-amd64.tar.gz cd etcd-v3.2.12-linux-amd64
移動etcd命令到kubernets工作目錄bin下
cp etcd etcdctl /opt/kubernetes/bin/
移動etcd所需要的證書到kubernets工作目錄ssl下
cp /root/ssl/ca*pem /root/ssl/server*pem /opt/kubernetes/ssl/
使用腳本生成配置文件並啓動:cat etcd.sh
#!/bin/bash ETCD_NAME=${1:-"etcd01"} ETCD_IP=${2:-"127.0.0.1"} ETCD_CLUSTER=${3:-"etcd01=http://127.0.0.1:2379"} cat <<EOF >/opt/kubernetes/cfg/etcd #[Member] ETCD_NAME="${ETCD_NAME}" ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ETCD_LISTEN_PEER_URLS="https://${ETCD_IP}:2380" ETCD_LISTEN_CLIENT_URLS="https://${ETCD_IP}:2379" #[Clustering] ETCD_INITIAL_ADVERTISE_PEER_URLS="https://${ETCD_IP}:2380" ETCD_ADVERTISE_CLIENT_URLS="https://${ETCD_IP}:2379" ETCD_INITIAL_CLUSTER="${ETCD_CLUSTER}" ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster" ETCD_INITIAL_CLUSTER_STATE="new" EOF cat <<EOF >/usr/lib/systemd/system/etcd.service [Unit] Description=Etcd Server After=network.target After=network-online.target Wants=network-online.target [Service] Type=notify EnvironmentFile=-/opt/kubernetes/cfg/etcd ExecStart=/opt/kubernetes/bin/etcd \\ --name=\${ETCD_NAME} \\ --data-dir=\${ETCD_DATA_DIR} \\ --listen-peer-urls=\${ETCD_LISTEN_PEER_URLS} \\ --listen-client-urls=\${ETCD_LISTEN_CLIENT_URLS},http://127.0.0.1:2379 \\ --advertise-client-urls=\${ETCD_ADVERTISE_CLIENT_URLS} \\ --initial-advertise-peer-urls=\${ETCD_INITIAL_ADVERTISE_PEER_URLS} \\ --initial-cluster=\${ETCD_INITIAL_CLUSTER} \\ --initial-cluster-token=\${ETCD_INITIAL_CLUSTER_TOKEN} \\ --initial-cluster-state=new \\ --cert-file=/opt/kubernetes/ssl/server.pem \\ --key-file=/opt/kubernetes/ssl/server-key.pem \\ --peer-cert-file=/opt/kubernetes/ssl/server.pem \\ --peer-key-file=/opt/kubernetes/ssl/server-key.pem \\ --trusted-ca-file=/opt/kubernetes/ssl/ca.pem \\ --peer-trusted-ca-file=/opt/kubernetes/ssl/ca.pem Restart=on-failure LimitNOFILE=65536 [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable etcd systemctl restart etcd
在master上使用腳本啓動etcd
./etcd.sh etcd01 192.168.200.101 etcd01=https://192.168.200.101:2380,etcd02=https://192.168.200.102:2380,etcd03=https://192.168.200.103:2380
(可選) 爲了方便部署,配置master到node互信:
生成公密鑰:ssh-keygen 一路回車 生成後發送公鑰到node ssh-copy-id [email protected] ssh-copy-id [email protected]
發送master文件到node
scp -r /opt/kubernetes/ [email protected]:/opt scp -r /opt/kubernetes/ [email protected]:/opt scp etcd.sh [email protected]:~ scp etcd.sh [email protected]:~
啓動node01的etcd
./etcd.sh etcd02 192.168.200.102 etcd01=https://192.168.200.101:2380,etcd02=https://192.168.200.102:2380,etcd03=https://192.168.200.103:2380
啓動node02的etcd
./etcd.sh etcd03 192.168.200.103 etcd01=https://192.168.200.101:2380,etcd02=https://192.168.200.102:2380,etcd03=https://192.168.200.103:2380
進入到/root/ssl目錄下,執行以下命令在master查看集羣狀態
/opt/kubernetes/bin/etcdctl \ --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem \ --endpoints="https://192.168.200.101:2379,https://192.168.200.102:2379,https://192.168.200.103:2379" \ cluster-health
5、部署Flannel網絡
Overlay Network:覆蓋網絡,在基礎網絡上疊加的一種虛擬網絡技術模式,該網絡中的主機通過虛擬鏈路連接起來。
VXLAN :將源數據包封裝到UDP中,並使用基礎網絡的IP/MAC作爲外層報文頭進行封裝,然後在以太網上傳輸,到達目的地後由隧道端點解封裝並將數據發送給目標地址。
Flannel :是Overlay網絡的一種,也是將源數據包封裝在另一種網絡包裏面進行路由轉發和通信,目前已經支持UDP、VXLAN、AWS VPC和GCE路由等數據轉發方式。
多主機容器網絡通信其他主流方案:隧道方案( Weave、OpenvSwitch ),路由方案(Calico)等。
在master/node上操作(master部署flannel在一些特殊場景會用到):
1)寫入分配的子網段到 etcd ,供 flanneld 使用(只在master上操作即可)
/opt/kubernetes/bin/etcdctl \ --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem \ --endpoints="https://192.168.200.101:2379,https://192.168.200.102:2379,https://192.168.200.103:2379" \ set /coreos.com/network/config '{ "Network": "172.17.0.0/16", "Backend": {"Type": "vxlan"}}'
2)下載二進制包
wget https://github.com/coreos/flannel/releases/download/v0.9.1/flannel-v0.9.1-linux-amd64.tar.gz tar xf flannel-v0.9.1-linux-amd64.tar.gz mv flanneld mk-docker-opts.sh /opt/kubernetes/bin/
3)配置 Flannel/systemd管理
使用腳本配置cat flanneld.sh
#!/bin/bash ETCD_ENDPOINTS=${1:-"http://127.0.0.1:2379"} cat <<EOF >/opt/kubernetes/cfg/flanneld FLANNEL_OPTIONS="--etcd-endpoints=${ETCD_ENDPOINTS} \ -etcd-cafile=/opt/kubernetes/ssl/ca.pem \ -etcd-certfile=/opt/kubernetes/ssl/server.pem \ -etcd-keyfile=/opt/kubernetes/ssl/server-key.pem" EOF cat <<EOF >/usr/lib/systemd/system/flanneld.service [Unit] Description=Flanneld overlay address etcd agent After=network-online.target network.target Before=docker.service [Service] Type=notify EnvironmentFile=/opt/kubernetes/cfg/flanneld ExecStart=/opt/kubernetes/bin/flanneld --ip-masq \$FLANNEL_OPTIONS ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -k DOCKER_NETWORK_OPTIONS -d /run/flannel/subnet.env Restart=on-failure [Install] WantedBy=multi-user.target EOF cat <<EOF >/usr/lib/systemd/system/docker.service [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com After=network-online.target firewalld.service Wants=network-online.target [Service] Type=notify EnvironmentFile=/run/flannel/subnet.env ExecStart=/usr/bin/dockerd \$DOCKER_NETWORK_OPTIONS ExecReload=/bin/kill -s HUP \$MAINPID LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity TimeoutStartSec=0 Delegate=yes KillMode=process Restart=on-failure StartLimitBurst=3 StartLimitInterval=60s [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable flanneld systemctl restart flanneld systemctl restart docker
4)啓動flannel
./flanneld.sh https://192.168.200.101:2379,https://192.168.200.102:2379,https://192.168.200.103:2379
5)驗證網絡
查看已存在的子網
[root@k8s-master ssl]# /opt/kubernetes/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.200.101:2379,https://192.168.200.102:2379,https://192.168.200.103:2379" ls /coreos.com/network/subnets 會顯示以下docker子網段: /coreos.com/network/subnets/172.17.78.0-24 /coreos.com/network/subnets/172.17.84.0-24 /coreos.com/network/subnets/172.17.49.0-24
查看某個子網詳細信息
[root@k8s-master ssl]# /opt/kubernetes/bin/etcdctl --ca-file=ca.pem --cert-file=server.pem --key-file=server-key.pem --endpoints="https://192.168.200.101:2379,https://192.168.200.102:2379,https://192.168.200.103:2379" get /coreos.com/network/subnets/172.17.78.0-24 子網詳細信息: {"PublicIP":"192.168.200.101","BackendType":"vxlan","BackendData":{"VtepMAC":"62:5f:9d:cd:51:aa"}}
如果集羣內部節點無法通信,可以添加防火牆規則:
iptables -I INPUT -s 192.168.200.0/24 -j ACCEPT
6、創建Node節點kubeconfig文件
在master節點/root/ssl目錄下使用以下腳本:
cat kubeconfig.sh
# 創建 TLS Bootstrapping Token export BOOTSTRAP_TOKEN=$(head -c 16 /dev/urandom | od -An -t x | tr -d ' ') cat > token.csv <<EOF ${BOOTSTRAP_TOKEN},kubelet-bootstrap,10001,"system:kubelet-bootstrap" EOF #---------------------- # 創建kubelet bootstrapping kubeconfig export KUBE_APISERVER="https://192.168.200.101:6443" # 設置集羣參數 kubectl config set-cluster kubernetes \ --certificate-authority=./ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=bootstrap.kubeconfig # 設置客戶端認證參數 kubectl config set-credentials kubelet-bootstrap \ --token=${BOOTSTRAP_TOKEN} \ --kubeconfig=bootstrap.kubeconfig # 設置上下文參數 kubectl config set-context default \ --cluster=kubernetes \ --user=kubelet-bootstrap \ --kubeconfig=bootstrap.kubeconfig # 設置默認上下文 kubectl config use-context default --kubeconfig=bootstrap.kubeconfig #---------------------- # 創建kube-proxy kubeconfig文件 kubectl config set-cluster kubernetes \ --certificate-authority=./ca.pem \ --embed-certs=true \ --server=${KUBE_APISERVER} \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-credentials kube-proxy \ --client-certificate=./kube-proxy.pem \ --client-key=./kube-proxy-key.pem \ --embed-certs=true \ --kubeconfig=kube-proxy.kubeconfig kubectl config set-context default \ --cluster=kubernetes \ --user=kube-proxy \ --kubeconfig=kube-proxy.kubeconfig kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
注意:執行此腳本時必須存在kubectl命令(上傳kubectl命令到/usr/bin下)
./kubeconfig.sh
會生成以下文件:
token.csv
bootstrap.kubeconfig
kube-proxy.kubeconfig
將配置文件cp到node:
scp *kubeconfig [email protected]:/opt/kubernetes/cfg/ scp *kubeconfig [email protected]:/opt/kubernetes/cfg/
7、獲取K8S二進制包、運行Master組件
https://github.com/kubernetes/kubernetes/
移動二進制文件到工作目錄bin下:
mv kubectl kube-apiserver kube-controller-manager kube-scheduler /opt/kubernetes/bin/
移動token認證信息到配置目錄下:
mv token.csv /opt/kubernetes/cfg/
使用以下腳本apiserver.sh、scheduler.sh、controller-manager.sh:
cat apiserver.sh
#!/bin/bash MASTER_ADDRESS=${1:-"192.168.200.101"} ETCD_SERVERS=${2:-"http://192.168.200.101:2379"} cat <<EOF >/opt/kubernetes/cfg/kube-apiserver KUBE_APISERVER_OPTS="--logtostderr=true \\ --v=4 \\ --etcd-servers=${ETCD_SERVERS} \\ --insecure-bind-address=127.0.0.1 \\ --bind-address=${MASTER_ADDRESS} \\ --insecure-port=8080 \\ --secure-port=6443 \\ --advertise-address=${MASTER_ADDRESS} \\ --allow-privileged=true \\ --service-cluster-ip-range=10.10.10.0/24 \\ --admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota,NodeRestriction \\ --authorization-mode=RBAC,Node \\ --kubelet-https=true \\ --enable-bootstrap-token-auth \\ --token-auth-file=/opt/kubernetes/cfg/token.csv \\ --service-node-port-range=30000-50000 \\ --tls-cert-file=/opt/kubernetes/ssl/server.pem \\ --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\ --client-ca-file=/opt/kubernetes/ssl/ca.pem \\ --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --etcd-cafile=/opt/kubernetes/ssl/ca.pem \\ --etcd-certfile=/opt/kubernetes/ssl/server.pem \\ --etcd-keyfile=/opt/kubernetes/ssl/server-key.pem" EOF cat <<EOF >/usr/lib/systemd/system/kube-apiserver.service [Unit] Description=Kubernetes API Server Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-apiserver ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-apiserver systemctl restart kube-apiserver
cat controller-manager.sh
#!/bin/bash MASTER_ADDRESS=${1:-"127.0.0.1"} cat <<EOF >/opt/kubernetes/cfg/kube-controller-manager KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=true \\ --v=4 \\ --master=${MASTER_ADDRESS}:8080 \\ --leader-elect=true \\ --address=127.0.0.1 \\ --service-cluster-ip-range=10.10.10.0/24 \\ --cluster-name=kubernetes \\ --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\ --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\ --root-ca-file=/opt/kubernetes/ssl/ca.pem" EOF cat <<EOF >/usr/lib/systemd/system/kube-controller-manager.service [Unit] Description=Kubernetes Controller Manager Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-controller-manager ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-controller-manager systemctl restart kube-controller-manager
cat scheduler.sh
#!/bin/bash MASTER_ADDRESS=${1:-"127.0.0.1"} cat <<EOF >/opt/kubernetes/cfg/kube-scheduler KUBE_SCHEDULER_OPTS="--logtostderr=true \\ --v=4 \\ --master=${MASTER_ADDRESS}:8080 \\ --leader-elect" EOF cat <<EOF >/usr/lib/systemd/system/kube-scheduler.service [Unit] Description=Kubernetes Scheduler Documentation=https://github.com/kubernetes/kubernetes [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-scheduler ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-scheduler systemctl restart kube-scheduler
啓動組件:
./apiserver.sh 192.168.200.101 https://192.168.200.101:2379,https://192.168.200.102:2379,https://192.168.200.103:2379 ./scheduler.sh ./controller-manager.sh
查看組件啓動狀態:
kubectl get cs
8、運行Node組件
mv kubelet kube-proxy /opt/kubernetes/bin/ chmod +x /opt/kubernetes/bin/*
在node節點使用腳本啓動kubelet:
cat kubelet.sh
#!/bin/bash NODE_ADDRESS=${1:-"192.168.1.196"} DNS_SERVER_IP=${2:-"10.10.10.2"} cat <<EOF >/opt/kubernetes/cfg/kubelet KUBELET_OPTS="--logtostderr=true \\ --v=4 \\ --address=${NODE_ADDRESS} \\ --hostname-override=${NODE_ADDRESS} \\ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\ --experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\ --cert-dir=/opt/kubernetes/ssl \\ --allow-privileged=true \\ --cluster-dns=${DNS_SERVER_IP} \\ --cluster-domain=cluster.local \\ --fail-swap-on=false \\ --pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0" EOF cat <<EOF >/usr/lib/systemd/system/kubelet.service [Unit] Description=Kubernetes Kubelet After=docker.service Requires=docker.service [Service] EnvironmentFile=-/opt/kubernetes/cfg/kubelet ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS Restart=on-failure KillMode=process [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kubelet systemctl restart kubelet
在node01啓動:
./kubelet.sh 192.168.200.102
在node02啓動:
./kubelet.sh 192.168.200.103
如果啓動報錯:kubelet: error: failed to run Kubelet: cannot create certificate signing request: certificatesigningrequests.certificates.k8s.io is forbidden: User "kubelet-bootstrap" cannot create certificatesigningrequests.certificates.k8s.io at the cluster scope
原因是:kubelet-bootstrap並沒有權限創建證書。所以要創建這個用戶的權限並綁定到這個角色上。
在master執行命令創建kubelet-bootstrap用戶:
kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap
在master節點查看認證狀態:
kubectl get csr 顯示爲等待簽名認證狀態 NAME AGE REQUESTOR CONDITION node-csr-QmkBSqwpZJnC5CJyowdOwYi_SvD2Q5h_e9l-axZRf3s 27s kubelet-bootstrap Pending node-csr-piPDu1XYXFMdWSKyucooft7bc-L5dfvgCiKjigjXgKI 5m kubelet-bootstrap Pending
master進行簽名認證:
kubectl certificate approve node-csr-QmkBSqwpZJnC5CJyowdOwYi_SvD2Q5h_e9l-axZRf3s kubectl certificate approve node-csr-piPDu1XYXFMdWSKyucooft7bc-L5dfvgCiKjigjXgKI
再次查看:
kubectl get csr 顯示爲簽發狀態 NAME AGE REQUESTOR CONDITION node-csr-QmkBSqwpZJnC5CJyowdOwYi_SvD2Q5h_e9l-axZRf3s 5m kubelet-bootstrap Approved,Issued node-csr-piPDu1XYXFMdWSKyucooft7bc-L5dfvgCiKjigjXgKI 10m kubelet-bootstrap Approved,Issued
kubectl get node 顯示node節點已準備就緒 NAME STATUS ROLES AGE VERSION 192.168.200.102 Ready <none> 1m v1.9.0 192.168.200.103 Ready <none> 2m v1.9.0
使用腳本在node節點啓動kube-pory
cat proxy.sh
#!/bin/bash NODE_ADDRESS=${1:-"192.168.1.200"} cat <<EOF >/opt/kubernetes/cfg/kube-proxy KUBE_PROXY_OPTS="--logtostderr=true \ --v=4 \ --hostname-override=${NODE_ADDRESS} \ --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig" EOF cat <<EOF >/usr/lib/systemd/system/kube-proxy.service [Unit] Description=Kubernetes Proxy After=network.target [Service] EnvironmentFile=-/opt/kubernetes/cfg/kube-proxy ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS Restart=on-failure [Install] WantedBy=multi-user.target EOF systemctl daemon-reload systemctl enable kube-proxy systemctl restart kube-proxy
啓動kube-proxy:
在node1啓動:
./proxy.sh 192.168.200.102
在nodo2啓動:
./proxy.sh 192.168.200.103
9、啓動一個測試示例
啓動一個nginx服務(只能內網訪問):
kubectl run nginx --image=nginx --replicas=3 kubectl get pod
啓動一個nginx服務(使用NodePort網絡映射到外網):
# kubectl expose deployment nginx --port=88 --target-port=80 --type=NodePort # kubectl get svc nginx
10、部署Web UI (Dashboard)
使用kubernets模板文件dashboard-rbac.yaml、dashboard-deployment.yaml、dashboard-service.yaml:
# kubectl create -f dashboard-rbac.yaml # kubectl create -f dashboard-deployment.yaml # kubectl create -f dashboard-service.yaml
#查看啓動
kubectl get pods -n kube-system //獲取podid kubectl describe po/podid -n kube-system
#查看service信息
kubectl get svc -n kube-system
Kubectl管理工具,遠程管理集羣服務
在遠程服務器上操作:
# 設置集羣項中名爲kubernetes的apiserver地址與根證書 ./kubectl config set-cluster kubernetes --server=https://192.168.200.101:6443 --certificate-authority=ca.pem # 設置用戶項中cluster-admin用戶證書認證字段 ./kubectl config set-credentials cluster-admin --certificate-authority=ca.pem --client-key=admin-key.pem --client-certificate=admin.pem # 設置環境項中名爲default的默認集羣和用戶 ./kubectl config set-context default --cluster=kubernetes --user=cluster-admin # 設置默認環境項爲default ./kubectl config use-context default