1.Kubernetes架构介绍和环境准备
1.1Kubernetes架构介绍
API Server,提供Kubernetes API接口,主要处理REST操作以及更新ETCD中的对象。所有资源增删改查的唯一入口。Scheduler,资源调度,负责Pod到Node的调度Controller Manager,所有其他集群级别的功能,目前由控制器Manager执行。资源对象的自动化控制中心ETCD,所有持久化的状态信息存储在ETCD中Kubelet,管理Pods以及容器、镜像、Volume等,实现对集群对节点的管理Kube-proxy,提供网络代理以及负载均衡,实现与Service通信Docker Engine,负责节点的容器的管理工作
1.2实验环境准备
1.2.1硬件设备准备
1.电脑内存>=8G,可用磁盘>80G 2.安装Vmware workstation Pro用于创建虚拟机 3.创建两台虚拟机,创建操作系统为Centos7.x-x86_64系统
1.2.2实验环境详情
主机名称 IP地址 描述 linux-node1.example.com eth0:118.190.201.11 1VCPU 2G内存 一块硬盘sda50G(动态扩展) linux-node2.example.com eth0:118.190.201.12 1VCPU 2G内存 一块硬盘sda50G(动态扩展) linux-node3.example.com eth0:118.190.201.13 1VCPU 2G内存 一块硬盘sda50G(动态扩展) 备注:安装的时候网卡为eth0 eth1
1.2.3环境准备
- 安装操作系统CentOS-7.x-x86_64
- 基本系统:1VCPU+2048M 内存+50G(动态)硬盘
- 网络选择:使用网络地址转换(NAT)。
软件包选择:Minimal Install。
关闭 iptables 和 SELinux。 - 设置所有节点的主机名和 IP 地址,同时使用内部 DNS 或者/etc/hosts 做好主机名解析。
安装步骤见文章:https://www.xionghaier.cn/archives/485.html
2.Kubernetes集群初始化
2.1环境准备
1.安装Docker
##node1,node2,node3节点安装docker 第一步:使用国内Docker源 [root@linux-node1 ~]# cd /etc/yum.repos.d/ [root@linux-node1 ~]# wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo 第二步:Docker安装: [root@linux-node1 ~]# yum install -y docker-ce 配置docker hub加速器 ,直接复制命令到对应的系统上执行操作即可。这里直接复制linux的命令执行: curl -sSL https://get.daocloud.io/daotools/set_mirror.sh | sh -s http://f1361db2.m.daocloud.io 第三步:启动后台进程: systemctl restart docker
2.准备部署目录
##全部节点
mkdir -p /opt/kubernetes/{cfg,bin,ssl,log}3.准备软件包
百度网盘下载地址: https://pan.baidu.com/s/1ABHgmAqxu0WOCiS-vn6j9Q ###下载v1.10.1 线上下载地址: https://github.com/kubernetes/kubernetes
4.解压软件包
##上传压缩包进行解压 [root@linux-node1 ~]# yum install -y unzip [root@linux-node1 ~]# cd k8s-v1.10.1-manual/k8s-v1.10.1/ [root@linux-node1 k8s-v1.10.1]# mv ./* /usr/local/src/ ##进行解压 [root@linux-node1 src]# tar zxvf kubernetes.tar.gz [root@linux-node1 src]# tar zxvf kubernetes-client-linux-amd64.tar.gz [root@linux-node1 src]# tar zxvf kubernetes-server-linux-amd64.tar.gz [root@linux-node1 src]# tar zxvf kubernetes-node-linux-amd64.tar.gz
5.添加环境变量
##每个节点都需要操作
sed -ri 's#PATH=(.*)#PATH=\1:/opt/kubernetes/bin#g' /root/.bash_profile
source /root/.bash_profile
6.配置内核参数
[root@linux-node1 ~]# vim /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120
net.ipv4.ip_forward = 1
# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2
# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_tw_buckets = 5000
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 1024
net.ipv4.tcp_synack_retries = 2
kernel.sysrq = 1
# iptables透明网桥的实现
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
2.2集群CA证书创建和分发
Kubernetes系统各组件需要使用TLS证书对通信进行加密
自签名CA证书管理:1.easyrsa 2.openssl 3.cfssl
1.创建Key值免密钥登录
[root@linux-node1 ~]# ssh-keygen -t rsa
[root@linux-node1 ~]# cat /etc/hosts ##所有节点相当
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
118.190.201.11 linux-node1 linux-node1.example.com
118.190.201.12 linux-node2 linux-node2.example.com
118.190.201.13 linux-node3 linux-node3.example.com
[root@linux-node1 ~]# ssh-copy-id linux-node1
[root@linux-node1 ~]# ssh-copy-id linux-node2
[root@linux-node1 ~]# ssh-copy-id linux-node3
2.安装CFSSL
[root@linux-node1 ~]# cd /usr/local/src
[root@linux-node1 src]# wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
[root@linux-node1 src]# wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
[root@linux-node1 src]# wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
[root@linux-node1 src]# chmod +x cfssl*
[root@linux-node1 src]# mv cfssl-certinfo_linux-amd64 /opt/kubernetes/bin/cfssl-certinfo
[root@linux-node1 src]# mv cfssljson_linux-amd64 /opt/kubernetes/bin/cfssljson
[root@linux-node1 src]# mv cfssl_linux-amd64 /opt/kubernetes/bin/cfssl
复制cfssl命令文件到k8s-node2和k8s-node3节点。如果实际中多个节点,就都需要同步复制。
[root@linux-node1 ~]# scp /opt/kubernetes/bin/cfssl* 118.190.201.12:/opt/kubernetes/bin
[root@linux-node1 ~]# scp /opt/kubernetes/bin/cfssl* 118.190.201.13:/opt/kubernetes/bin
3.初始化cfssl
[root@linux-node1 ~]# cd /usr/local/src [root@linux-node1 src]# mkdir ssl && cd ssl ##命令自动创建 [root@linux-node1 ssl]# cfssl print-defaults config > config.json [root@linux-node1 ssl]# cfssl print-defaults csr > csr.json
4.创建用来生成 CA 文件的 JSON 配置文件
[root@linux-node1 ssl]# vim ca-config.json
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"kubernetes": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
5.创建用来生成 CA 证书签名请求(CSR)的 JSON 配置文件
[root@linux-node1 ssl]# vim ca-csr.json
{
"CN": "kubernetes",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}6.生成CA证书(ca.pem)和密钥(ca-key.pem)
[root@linux-node1 ssl]# cfssl gencert -initca ca-csr.json | cfssljson -bare ca [root@linux-node1 ssl]# ll total 20 -rw-r--r-- 1 root root 290 Jan 31 04:47 ca-config.json -rw-r--r-- 1 root root 1001 Jan 31 04:56 ca.csr -rw-r--r-- 1 root root 208 Jan 31 04:51 ca-csr.json -rw------- 1 root root 1679 Jan 31 04:56 ca-key.pem -rw-r--r-- 1 root root 1359 Jan 31 04:56 ca.pem
7.分发证书
[root@linux-node1 ssl]# cp ca.csr ca.pem ca-key.pem ca-config.json /opt/kubernetes/ssl
##SCP证书到k8s-node2和k8s-node3节点
[root@linux-node1 ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json 118.190.201.12:/opt/kubernetes/ssl
[root@linux-node1 ssl]# scp ca.csr ca.pem ca-key.pem ca-config.json 118.190.201.13:/opt/kubernetes/ssl
2.3ETCD集群部署
官方文档:https://github.com/etcd-io/etcd/releases
##解压压缩文件
wget https://github.com/coreos/etcd/releases/download/v3.2.18/etcd-v3.2.18-linux-amd64.tar.gz
[root@linux-node1 ~]# cd /usr/local/src/
[root@linux-node1 src]# tar zxf etcd-v3.2.18-linux-amd64.tar.gz
[root@linux-node1 etcd-v3.2.18-linux-amd64]# cp etcd etcdctl /opt/kubernetes/bin/
[root@linux-node1 etcd-v3.2.18-linux-amd64]# scp etcd etcdctl 118.190.201.12:/opt/kubernetes/bin/
[root@linux-node1 etcd-v3.2.18-linux-amd64]# scp etcd etcdctl 118.190.201.13:/opt/kubernetes/bin/
1.创建 etcd 证书签名请求:
[root@linux-node1 ~]# cd /usr/local/src/ssl
[root@linux-node1 ssl]# vim etcd-csr.json
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"118.190.201.11",
"118.190.201.12",
"118.190.201.13"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}2.生成 etcd 证书和私钥:
[root@linux-node1 ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \
-ca-key=/opt/kubernetes/ssl/ca-key.pem \
-config=/opt/kubernetes/ssl/ca-config.json \
-profile=kubernetes etcd-csr.json | cfssljson -bare etcd
##会生成以下证书文件
[root@linux-node1 ssl]# ls -l etcd*
-rw-r--r-- 1 root root 1045 Mar 5 11:27 etcd.csr
-rw-r--r-- 1 root root 257 Mar 5 11:25 etcd-csr.json
-rw------- 1 root root 1679 Mar 5 11:27 etcd-key.pem
-rw-r--r-- 1 root root 1419 Mar 5 11:27 etcd.pem3.将证书移动到/opt/kubernetes/ssl目录下
[root@linux-node1 ssl]# cp etcd*.pem /opt/kubernetes/ssl [root@linux-node1 ssl]# scp etcd*.pem 118.190.201.12:/opt/kubernetes/ssl [root@linux-node1 ssl]# scp etcd*.pem 118.190.201.13:/opt/kubernetes/ssl
4.设置ETCD配置文件
[root@linux-node1 ssl]# vim /opt/kubernetes/cfg/etcd.conf
#[member]
ETCD_NAME="etcd-node1" ##节点name不一样
ETCD_DATA_DIR="/var/lib/etcd/default.etcd" ##etcd存放数据目录
#ETCD_SNAPSHOT_COUNTER="10000"
#ETCD_HEARTBEAT_INTERVAL="100"
#ETCD_ELECTION_TIMEOUT="1000"
ETCD_LISTEN_PEER_URLS="https://118.190.201.11:2380" ##监听的url,端口2379是客户端用的,2380是集群之间通信用的
ETCD_LISTEN_CLIENT_URLS="https://118.190.201.11:2379,https://127.0.0.1:2379"
#ETCD_MAX_SNAPSHOTS="5"
#ETCD_MAX_WALS="5"
#ETCD_CORS=""
#[cluster]
ETCD_INITIAL_ADVERTISE_PEER_URLS="https://118.190.201.11:2380"
# if you use different ETCD_NAME (e.g. test),
# set ETCD_INITIAL_CLUSTER value for this name, i.e. "test=http://..."
ETCD_INITIAL_CLUSTER="etcd-node1=https://118.190.201.11:2380,etcd-node2=https://118.190.201.12:2380,etcd-node3=https://118.190.201.13:2380"
ETCD_INITIAL_CLUSTER_STATE="new"
ETCD_INITIAL_CLUSTER_TOKEN="k8s-etcd-cluster"
ETCD_ADVERTISE_CLIENT_URLS="https://118.190.201.11:2379"
#[security]
CLIENT_CERT_AUTH="true"
ETCD_CA_FILE="/opt/kubernetes/ssl/ca.pem"
ETCD_CERT_FILE="/opt/kubernetes/ssl/etcd.pem"
ETCD_KEY_FILE="/opt/kubernetes/ssl/etcd-key.pem"
PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_CA_FILE="/opt/kubernetes/ssl/ca.pem"
ETCD_PEER_CERT_FILE="/opt/kubernetes/ssl/etcd.pem"
ETCD_PEER_KEY_FILE="/opt/kubernetes/ssl/etcd-key.pem"5.创建ETCD系统服务
[root@linux-node1 ssl]# vim /etc/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
[Service]
Type=simple
WorkingDirectory=/var/lib/etcd
EnvironmentFile=-/opt/kubernetes/cfg/etcd.conf
# set GOMAXPROCS to number of processors
ExecStart=/bin/bash -c "GOMAXPROCS=$(nproc) /opt/kubernetes/bin/etcd"
Type=notify
[Install]
WantedBy=multi-user.target6.重新加载系统服务
###从node1节点拷贝 scp /opt/kubernetes/cfg/etcd.conf 118.190.201.12:/opt/kubernetes/cfg/ ###修改配置文件ETCD_NAME的名称为node2,及URL为本地地址,除去CLUSTER地址 scp /etc/systemd/system/etcd.service 118.190.201.12:/etc/systemd/system/ scp /opt/kubernetes/cfg/etcd.conf 118.190.201.13:/opt/kubernetes/cfg/ ###修改配置文件ETCD_NAME的名称为node3,及URL为本地地址,除去CLUSTER地址 scp /etc/systemd/system/etcd.service 118.190.201.13:/etc/systemd/system/ ###在所有节点上创建etcd存储目录并启动etcd,并执行下列命令 [root@linux-node1 ~]# mkdir /var/lib/etcd [root@linux-node1 ~]# systemctl daemon-reload [root@linux-node1 ~]# systemctl enable etcd [root@linux-node1 ~]# systemctl start etcd [root@linux-node1 ~]# systemctl status etcd
7.验证集群
[root@linux-node1 ~]# etcdctl --endpoints=https://118.190.201.11:2379 \
--ca-file=/opt/kubernetes/ssl/ca.pem \
--cert-file=/opt/kubernetes/ssl/etcd.pem \
--key-file=/opt/kubernetes/ssl/etcd-key.pem cluster-health
member 2b9768bac4d1e147 is healthy: got healthy result from https://118.190.201.11:2379
member 6e9e3c245093a8d9 is healthy: got healthy result from https://118.190.201.13:2379
member bdf57119cb0d3229 is healthy: got healthy result from https://118.190.201.12:2379
cluster is healthy3.Kubernetes Master节点部署
1.API Server提供集群管理的REST API接口,包括认证授权、数据校验以及集群状态变更等 ①只有API Server才直接操作etcd ②其他模块通过API Server查询或修改数据 🌂提供其它模块之间的数据交互和通信的枢纽 2.Scheduler负责分配调度Pod到集群内的node节点 ①监听Kube-APIServer,查询还未分配Node的Pod ②根据调度策略为这些Pod分配节点 3.Controller-manager有一系列的控制器组成,它通过API Server监控整个集群的状态,并确保集群处于预期工作状态
3.1.部署Kubernetes API服务部署
0.准备软件包
###只需要node1拷贝,node1是master
[root@linux-node1 ~]# cd /usr/local/src/kubernetes
[root@linux-node1 kubernetes]# cp server/bin/kube-apiserver /opt/kubernetes/bin/
[root@linux-node1 kubernetes]# cp server/bin/kube-controller-manager /opt/kubernetes/bin/
[root@linux-node1 kubernetes]# cp server/bin/kube-scheduler /opt/kubernetes/bin/1.创建生成CSR的 JSON 配置文件
[root@linux-node1 ~]# cd /usr/local/src/ssl/
[root@linux-node1 ssl]# vim kubernetes-csr.json
{
"CN": "kubernetes",
"hosts": [
"127.0.0.1",
"118.190.201.11", ###Master主机
"10.1.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}2.生成 kubernetes 证书和私钥
cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \
-ca-key=/opt/kubernetes/ssl/ca-key.pem \
-config=/opt/kubernetes/ssl/ca-config.json \
-profile=kubernetes kubernetes-csr.json | cfssljson -bare kubernetes
[root@linux-node1 /usr/local/src/ssl]# cp kubernetes*.pem /opt/kubernetes/ssl/
[root@linux-node1 /usr/local/src/ssl]# scp kubernetes*.pem 118.190.201.12:/opt/kubernetes/ssl/
[root@linux-node1 /usr/local/src/ssl]# scp kubernetes*.pem 118.190.201.13:/opt/kubernetes/ssl/
3.创建 kube-apiserver 使用的客户端 token 文件
[root@linux-node1 ~]# head -c 16 /dev/urandom | od -An -t x | tr -d ' '
ad6d5bb607a186796d8861557df0d17f
[root@linux-node1 ~]# vim /opt/kubernetes/ssl/bootstrap-token.csv
ad6d5bb607a186796d8861557df0d17f,kubelet-bootstrap,10001,"system:kubelet-bootstrap"4.创建基础用户名/密码认证配置
[root@linux-node1 ~]# vim /opt/kubernetes/ssl/basic-auth.csv
admin,admin,1
readonly,readonly,25.部署Kubernetes API Server
[root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-apiserver.service
[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
[Service]
ExecStart=/opt/kubernetes/bin/kube-apiserver \
--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \
--bind-address=118.190.201.11 \
--insecure-bind-address=127.0.0.1 \
--authorization-mode=Node,RBAC \
--runtime-config=rbac.authorization.k8s.io/v1 \
--kubelet-https=true \
--anonymous-auth=false \
--basic-auth-file=/opt/kubernetes/ssl/basic-auth.csv \
--enable-bootstrap-token-auth \
--token-auth-file=/opt/kubernetes/ssl/bootstrap-token.csv \
--service-cluster-ip-range=10.1.0.0/16 \
--service-node-port-range=20000-40000 \
--tls-cert-file=/opt/kubernetes/ssl/kubernetes.pem \
--tls-private-key-file=/opt/kubernetes/ssl/kubernetes-key.pem \
--client-ca-file=/opt/kubernetes/ssl/ca.pem \
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \
--etcd-cafile=/opt/kubernetes/ssl/ca.pem \
--etcd-certfile=/opt/kubernetes/ssl/kubernetes.pem \
--etcd-keyfile=/opt/kubernetes/ssl/kubernetes-key.pem \
--etcd-servers=https://118.190.201.11:2379,https://118.190.201.12:2379,https://118.190.201.13:2379 \
--enable-swagger-ui=true \
--allow-privileged=true \
--audit-log-maxage=30 \
--audit-log-maxbackup=3 \
--audit-log-maxsize=100 \
--audit-log-path=/opt/kubernetes/log/api-audit.log \
--event-ttl=1h \
--v=2 \
--logtostderr=false \
--log-dir=/opt/kubernetes/log
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target6.启动API Server服务
[root@linux-node1 ~]# systemctl daemon-reload
[root@linux-node1 ~]# systemctl enable kube-apiserver
[root@linux-node1 ~]# systemctl start kube-apiserver查看API Server服务状态
[root@linux-node1 ~]# systemctl status kube-apiserver
[root@linux-node1 ~]# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 118.190.201.11:6443 0.0.0.0:* LISTEN 18559/kube-apiserve
tcp 0 0 127.0.0.1:2379 0.0.0.0:* LISTEN 17867/etcd
tcp 0 0 118.190.201.11:2379 0.0.0.0:* LISTEN 17867/etcd
tcp 0 0 118.190.201.11:2380 0.0.0.0:* LISTEN 17867/etcd
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN 18559/kube-apiserve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1098/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1976/master
tcp6 0 0 :::22 :::* LISTEN 1098/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1976/master
3.2部署Controller Manager服务
[root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-controller-manager.service
[Unit]
Description=Kubernetes Controller Manager
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/opt/kubernetes/bin/kube-controller-manager \
--address=127.0.0.1 \
--master=http://127.0.0.1:8080 \
--allocate-node-cidrs=true \
--service-cluster-ip-range=10.1.0.0/16 \
--cluster-cidr=10.2.0.0/16 \
--cluster-name=kubernetes \
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \
--root-ca-file=/opt/kubernetes/ssl/ca.pem \
--leader-elect=true \
--v=2 \
--logtostderr=false \
--log-dir=/opt/kubernetes/log
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target1.启动Controller Manager
[root@linux-node1 ~]# systemctl daemon-reload
[root@linux-node1 ~]# systemctl enable kube-controller-manager
[root@linux-node1 ~]# systemctl start kube-controller-manager2.查看服务状态,端口10252
[root@linux-node1 ~]# systemctl status kube-controller-manager3.3部署Kubernetes Scheduler
[root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-scheduler.service
[Unit]
Description=Kubernetes Scheduler
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
[Service]
ExecStart=/opt/kubernetes/bin/kube-scheduler \
--address=127.0.0.1 \
--master=http://127.0.0.1:8080 \
--leader-elect=true \
--v=2 \
--logtostderr=false \
--log-dir=/opt/kubernetes/log
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target2.启动服务端口10251
[root@linux-node1 ~]# systemctl daemon-reload [root@linux-node1 ~]# systemctl enable kube-scheduler [root@linux-node1 ~]# systemctl start kube-scheduler [root@linux-node1 ~]# systemctl status kube-scheduler
3.4部署kubectl 命令行工具
1.准备二进制命令包
[root@linux-node1 ~]# cd /usr/local/src/kubernetes/client/bin
[root@linux-node1 bin]# cp kubectl /opt/kubernetes/bin/
2.创建 admin 证书签名请求
[root@linux-node1 ~]# cd /usr/local/src/ssl/
[root@linux-node1 ssl]# vim admin-csr.json
{
"CN": "admin",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "system:masters",
"OU": "System"
}
]
}
3.生成 admin 证书和私钥:
[root@linux-node1 ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \
-ca-key=/opt/kubernetes/ssl/ca-key.pem \
-config=/opt/kubernetes/ssl/ca-config.json \
-profile=kubernetes admin-csr.json | cfssljson -bare admin
[root@linux-node1 ssl]# ls -l admin*
-rw-r--r-- 1 root root 1009 Mar 5 12:29 admin.csr
-rw-r--r-- 1 root root 229 Mar 5 12:28 admin-csr.json
-rw------- 1 root root 1675 Mar 5 12:29 admin-key.pem
-rw-r--r-- 1 root root 1399 Mar 5 12:29 admin.pem
[root@linux-node1 /usr/local/src/ssl]# cp admin*.pem /opt/kubernetes/ssl/
4.设置集群参数
设置证书是因为API Server是通过RBAC进行授权,RBAC预定义了一些角色,所有要设置参数
[root@linux-node1 /usr/local/src/ssl]# kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://118.190.201.11:6443
Cluster "kubernetes" set.
5.设置客户端认证参数
[root@linux-node1 /usr/local/src/ssl]# kubectl config set-credentials admin \
--client-certificate=/opt/kubernetes/ssl/admin.pem \
--embed-certs=true \
--client-key=/opt/kubernetes/ssl/admin-key.pem
User "admin" set.
6.设置上下文参数
[root@linux-node1 /usr/local/src/ssl]# kubectl config set-context kubernetes \
--cluster=kubernetes \
--user=admin
Context "kubernetes" created.
7.设置默认上下文
[root@linux-node1 /usr/local/src/ssl]# kubectl config use-context kubernetes
Switched to context "kubernetes".
8.使用kubectl工具
[root@linux-node1 ~]# kubectl get cs
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-1 Healthy {"health":"true"}
etcd-2 Healthy {"health":"true"}
etcd-0 Healthy {"health":"true"} 设置的参数在家目录下生产了 .kube/config配置文件(kubectl与api通信就使用到这个文件),若想在其它节点上也运行kubectl需要把这个文件拷贝到其它节点上
4. Kubernetes Node节点部署
4.1-kubelet部署
1.二进制包准备 将软件包从linux-node1复制到其它节点中去。
[root@linux-node1 ~]# cd /usr/local/src/kubernetes/server/bin/ [root@linux-node1 /usr/local/src/kubernetes/server/bin]# cp kubelet kube-proxy /opt/kubernetes/bin/ [root@linux-node1 /usr/local/src/kubernetes/server/bin]# scp kubelet kube-proxy 118.190.201.12:/opt/kubernetes/bin/ [root@linux-node1 /usr/local/src/kubernetes/server/bin]# scp kubelet kube-proxy 118.190.201.13:/opt/kubernetes/bin/
2.创建角色绑定
当kubelet启动的时候会向API Server发送csr-bootstrap的请求,将bootstrap的token设置成对应的角色,这样kubectl才有权限创建请求
[root@linux-node1 /usr/local/src/kubernetes/server/bin]# kubectl create clusterrolebinding kubelet-bootstrap --clusterrole=system:node-bootstrapper --user=kubelet-bootstrap3.给kubelet准备一个kubeconfig的配置
创建 kubelet bootstrapping kubeconfig 文件 设置集群参数
生成kubeconfig的配置
[root@linux-node1 /usr/local/src/kubernetes/server/bin]# cd /usr/local/src/ssl/
[root@linux-node1 /usr/local/src/ssl]# kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://118.190.201.11:6443 \
--kubeconfig=bootstrap.kubeconfig
Cluster "kubernetes" set.设置客户端认证参数
[root@linux-node1 /usr/local/src/ssl]# kubectl config set-credentials kubelet-bootstrap \
--token=ad6d5bb607a186796d8861557df0d17f \
--kubeconfig=bootstrap.kubeconfig
User "kubelet-bootstrap" set.设置上下文参数
[root@linux-node1 /usr/local/src/ssl]# kubectl config set-context default \
--cluster=kubernetes \
--user=kubelet-bootstrap \
--kubeconfig=bootstrap.kubeconfig
Context "default" created.选择默认上下文
[root@linux-node1 /usr/local/src/ssl]# kubectl config use-context default --kubeconfig=bootstrap.kubeconfig Switched to context "default". [root@linux-node1 /usr/local/src/ssl]# cp bootstrap.kubeconfig /opt/kubernetes/cfg [root@linux-node1 /usr/local/src/ssl]# scp bootstrap.kubeconfig 118.190.201.12:/opt/kubernetes/cfg [root@linux-node1 /usr/local/src/ssl]# scp bootstrap.kubeconfig 118.190.201.13:/opt/kubernetes/cfg
4.设置CNI支持,cni是k8s网络接口的插件
~]# mkdir -p /etc/cni/net.d ###所有节点执行
[root@linux-node1 ~]# vim /etc/cni/net.d/10-default.conf
{
"name": "flannel",
"type": "flannel",
"delegate": {
"bridge": "docker0",
"isDefaultGateway": true,
"mtu": 1400
}
} [root@linux-node1 ~]# scp /etc/cni/net.d/10-default.conf 118.190.201.12:/etc/cni/net.d/10-default.conf
[root@linux-node1 ~]# scp /etc/cni/net.d/10-default.conf 118.190.201.13:/etc/cni/net.d/10-default.conf
5.创建kubelet目录
~]# mkdir /var/lib/kubelet ###node节点进行创建
6.创建kubelet服务配置
[root@linux-node1 ~]# vim /usr/lib/systemd/system/kubelet.service ###创建配置文件不启动 [Unit] Description=Kubernetes Kubelet Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=docker.service Requires=docker.service [Service] WorkingDirectory=/var/lib/kubelet ExecStart=/opt/kubernetes/bin/kubelet \ --address=118.190.201.11 \ --hostname-override=118.190.201.11 \ --pod-infra-container-image=mirrorgooglecontainers/pause-amd64:3.0 \ --experimental-bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \ --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \ --cert-dir=/opt/kubernetes/ssl \ --network-plugin=cni \ --cni-conf-dir=/etc/cni/net.d \ --cni-bin-dir=/opt/kubernetes/bin/cni \ --cluster-dns=10.1.0.2 \ --cluster-domain=cluster.local. \ --hairpin-mode hairpin-veth \ --allow-privileged=true \ --fail-swap-on=false \ --logtostderr=true \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 ###进行拷贝到node节点,修改监听地址 [root@linux-node1 ~]# scp /usr/lib/systemd/system/kubelet.service 118.190.201.12:/usr/lib/systemd/system/kubelet.service [root@linux-node1 ~]# scp /usr/lib/systemd/system/kubelet.service 118.190.201.13:/usr/lib/systemd/system/kubelet.service ###node节点修改监听地址 [root@linux-node2 ~]# sed -i 's#118.190.201.11#118.190.201.12#g' /usr/lib/systemd/system/kubelet.service [root@linux-node3 ~]# sed -i 's#118.190.201.11#118.190.201.13#g' /usr/lib/systemd/system/kubelet.service
7.node节点启动Kubelet
~]# systemctl daemon-reload
~]# systemctl enable kubelet
~]# systemctl start kubelet
~]# systemctl status kubelet
8.查看csr请求 注意是在linux-node1上执行
[root@linux-node1 ~]# kubectl get csr ###kubelet起来需要与API做相关证书的通信
NAME AGE REQUESTOR CONDITION
node-csr-HVCroDqY44NHqb5sb8P8qinL-Zbn4EdTmHSKKMxdzWg 2m kubelet-bootstrap Pending
node-csr-m1uxZc8r-SF8wJDBb3X2tbekjO5UrOVJqSBt_N47u9g 2m kubelet-bootstrap Pending
9.批准kubelet 的 TLS 证书请求
[root@linux-node1 ~]# kubectl get csr|grep 'Pending' | awk 'NR>0{print $1}'| xargs kubectl certificate approve
10.执行完毕后,查看节点状态已经是Ready的状态了
[root@linux-node1 ~]# kubectl get node NAME STATUS ROLES AGE VERSION 118.190.201.12 Ready <none> 2m v1.10.1 118.190.201.13 Ready <none> 2m v1.10.1
4.2部署Kubernetes Proxy
1.配置kube-proxy使用LVS
~]# yum install -y ipvsadm ipset conntrack ###node节点安装,本次实验所有节点安装2.创建 kube-proxy 证书请求
[root@linux-node1 ~]# cd /usr/local/src/ssl/
[root@linux-node1 /usr/local/src/ssl]# vim kube-proxy-csr.json
{
"CN": "system:kube-proxy",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}3.生成证书
[root@linux-node1 /usr/local/src/ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \
-ca-key=/opt/kubernetes/ssl/ca-key.pem \
-config=/opt/kubernetes/ssl/ca-config.json \
-profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy4.分发证书到所有Node节点
[root@linux-node1 /usr/local/src/ssl]# cp kube-proxy*.pem /opt/kubernetes/ssl/ [root@linux-node1 /usr/local/src/ssl]# scp kube-proxy*.pem 118.190.201.12:/opt/kubernetes/ssl/ [root@linux-node1 /usr/local/src/ssl]# scp kube-proxy*.pem 118.190.201.13:/opt/kubernetes/ssl/
5.创建kube-proxy配置文件
[root@linux-node1 /usr/local/src/ssl]# kubectl config set-cluster kubernetes \
--certificate-authority=/opt/kubernetes/ssl/ca.pem \
--embed-certs=true \
--server=https://118.190.201.11:6443 \
--kubeconfig=kube-proxy.kubeconfig
Cluster "kubernetes" set.
[root@linux-node1 /usr/local/src/ssl]# kubectl config set-credentials kube-proxy \
--client-certificate=/opt/kubernetes/ssl/kube-proxy.pem \
--client-key=/opt/kubernetes/ssl/kube-proxy-key.pem \
--embed-certs=true \
--kubeconfig=kube-proxy.kubeconfig
User "kube-proxy" set.
[root@linux-node1 /usr/local/src/ssl]# kubectl config set-context default \
--cluster=kubernetes \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
Context "default" created.
[root@linux-node1 /usr/local/src/ssl]# kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
Switched to context "default".6.分发kubeconfig配置文件
[root@linux-node1 /usr/local/src/ssl]# cp kube-proxy.kubeconfig /opt/kubernetes/cfg/ [root@linux-node1 /usr/local/src/ssl]# scp kube-proxy.kubeconfig 118.190.201.12:/opt/kubernetes/cfg/ [root@linux-node1 /usr/local/src/ssl]# scp kube-proxy.kubeconfig 118.190.201.13:/opt/kubernetes/cfg/
7.创建kube-proxy服务配置
~]# mkdir /var/lib/kube-proxy ###未来所有文件发在这个目录,所有节点创建 [root@linux-node1 ~]# vim /usr/lib/systemd/system/kube-proxy.service ###创建系统服务,node1节点不启动服务 [Unit] Description=Kubernetes Kube-Proxy Server Documentation=https://github.com/GoogleCloudPlatform/kubernetes After=network.target [Service] WorkingDirectory=/var/lib/kube-proxy ExecStart=/opt/kubernetes/bin/kube-proxy \ --bind-address=118.190.201.11 \ --hostname-override=118.190.201.11 \ --kubeconfig=/opt/kubernetes/cfg/kube-proxy.kubeconfig \ --masquerade-all \ --feature-gates=SupportIPVSProxyMode=true \ --proxy-mode=ipvs \ --ipvs-min-sync-period=5s \ --ipvs-sync-period=5s \ --ipvs-scheduler=rr \ --logtostderr=true \ --v=2 \ --logtostderr=false \ --log-dir=/opt/kubernetes/log Restart=on-failure RestartSec=5 LimitNOFILE=65536 [Install] WantedBy=multi-user.target ###拷贝到其它节点,修改监听地址 [root@linux-node1 ~]# scp /usr/lib/systemd/system/kube-proxy.service 118.190.201.12:/usr/lib/systemd/system/kube-proxy.service [root@linux-node1 ~]# scp /usr/lib/systemd/system/kube-proxy.service 118.190.201.13:/usr/lib/systemd/system/kube-proxy.service ###修改监听地址 [root@linux-node2 ~]# sed -i 's#118.190.201.11#118.190.201.12#g' /usr/lib/systemd/system/kube-proxy.service [root@linux-node3 ~]# sed -i 's#118.190.201.11#118.190.201.13#g' /usr/lib/systemd/system/kube-proxy.service
8.启动Kubernetes Proxy
###node1节点不用启动
~]# systemctl daemon-reload
~]# systemctl enable kube-proxy
~]# systemctl start kube-proxy
~]# systemctl status kube-proxy
9.查看kube-proxy服务状态
###检查LVS状态
[root@linux-node3 ~]# ipvsadm -L -n
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.1.0.1:443 rr persistent 10800
-> 118.190.201.11:6443 Masq 1 0 0
###说明到10.1.0.1:443的地址全部转为118.190.201.11:6443地址API Server10.使用下面的命令可以检查状态
[root@linux-node1 ~]# kubectl get node NAME STATUS ROLES AGE VERSION 118.190.201.12 Ready <none> 4h v1.10.1 118.190.201.13 Ready <none> 4h v1.10.1
5.Flannel网络部署
5.1-Flannel网络部署
Replication Controller简称RC
- RC是k8s集群中最早的保证Pod高可用的API对象。通过监控运行中的Pod来保证集群中运行指定数目的Pod副本
- 指定的数目可以是多个也可以是1个,少于指定数目,RC就会启动运行新的副本,多于指定数目,RC就会杀死多余的Pod副本
- 即使在指定数目为1的情况下,通过RC运行Pod也比直接运行Pod更明智,因为RC也可以发挥它高可用的能力,保证永远有1个Pod在运行
Replica Set简称RS(官方觉得RC功能弱 新做的RS)
- RS是新一代RC,提供同样的高可用能力,区别主要在于RS后来居上,能支持更多中的匹配模式。副本集对象一般不单独使用,而是作为部署的理想状态参数使用
- 是k8s1.2中出现的概念,是RC的升级。一般和Deployment共同使用
Deployment
- Deployment表示用户对k8s集群的一次更新操作。Deployment是一个比RS应用模式更广的API对象
- 可以是创建一个新的服务,更新一个新的服务,也可以是滚动升级一个服务。滚动升级一个服务,实际是创建一个新的RS,然后逐渐将新RS中副本数量增加到理想状态,将旧RS中的副本数减小到0的复合操作
- 这样一个复合操作作用一个RS是不太好描述的,所有用一个更通用的Deployment来描述
Service
- RC、RS和Deployment只是保证了支撑服务的Pod的数量,但是没有解决如何访问这些服务的问题。一个Pod只是一个运行服务额实例,随时可能在一个节点上停止,在另一个节点上以一个新的IP启动一个新的Pod,因此不能以确定的IP和端口提供服务
- 要稳定地提供服务需要服务发现和负载均衡的能力,服务发现完成的工作,是针对客户端访问的服务,找到对应的后端服务实例
- 在k8s集群中,客户端需要访问的服务就是Service对象,每个Service会对应一个集群内部有效的虚拟IP,集群内部通过虚拟IP访问一个服务
K8s的IP地址
- Node IP:节点设备的IP,如物理机,虚拟机等容器宿主的实际IP
- Pod IP:Pod的IP地址,是根据docker0网络IP段进行分配的
- Cluster IP:Service的IP是一个虚拟IP,仅作用于service对象,有k8s管理和分配,需要结合service port才能使用,单独的IP没有通信功能,集群访问需要一些修改
- 在k8s集群内部,nodeip podip clusterip的通信机制是有k8s制定的路由规则,不是IP路由
1.为Flannel生成证书
[root@linux-node1 ~]# cd /usr/local/src/ssl/
[root@linux-node1 /usr/local/src/ssl]# vim flanneld-csr.json
{
"CN": "flanneld",
"hosts": [],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "BeiJing",
"L": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}2.生成证书
[root@linux-node1 /usr/local/src/ssl]# cfssl gencert -ca=/opt/kubernetes/ssl/ca.pem \
-ca-key=/opt/kubernetes/ssl/ca-key.pem \
-config=/opt/kubernetes/ssl/ca-config.json \
-profile=kubernetes flanneld-csr.json | cfssljson -bare flanneld3.分发证书
[root@linux-node1 /usr/local/src/ssl]# cp flanneld*.pem /opt/kubernetes/ssl/ [root@linux-node1 /usr/local/src/ssl]# scp flanneld*.pem 118.190.201.12:/opt/kubernetes/ssl/ [root@linux-node1 /usr/local/src/ssl]# scp flanneld*.pem 118.190.201.13:/opt/kubernetes/ssl/
4.下载Flannel软件包
[root@linux-node1 ~]# cd /usr/local/src
# wget
https://github.com/coreos/flannel/releases/download/v0.10.0/flannel-v0.10.0-linux-amd64.tar.gz
[root@linux-node1 src]# tar zxf flannel-v0.10.0-linux-amd64.tar.gz
[root@linux-node1 src]# cp flanneld mk-docker-opts.sh /opt/kubernetes/bin/
##复制到node2 node3节点
[root@linux-node1 src]# scp flanneld mk-docker-opts.sh 118.190.201.12:/opt/kubernetes/bin/
[root@linux-node1 src]# scp flanneld mk-docker-opts.sh 118.190.201.13:/opt/kubernetes/bin/
##复制对应脚本到/opt/kubernetes/bin目录下
[root@linux-node1 ~]# cd /usr/local/src/kubernetes/cluster/centos/node/bin/
[root@linux-node1 /usr/local/src/kubernetes/cluster/centos/node/bin]# cp remove-docker0.sh /opt/kubernetes/bin/
[root@linux-node1 /usr/local/src/kubernetes/cluster/centos/node/bin]# scp remove-docker0.sh 118.190.201.12:/opt/kubernetes/bin/
[root@linux-node1 /usr/local/src/kubernetes/cluster/centos/node/bin]# scp remove-docker0.sh 118.190.201.13:/opt/kubernetes/bin/5.配置Flannel
[root@linux-node1 ~]# vim /opt/kubernetes/cfg/flannel
FLANNEL_ETCD="-etcd-endpoints=https://118.190.201.11:2379,https://118.190.201.12:2379,https://118.190.201.13:2379"
FLANNEL_ETCD_KEY="-etcd-prefix=/kubernetes/network"
FLANNEL_ETCD_CAFILE="--etcd-cafile=/opt/kubernetes/ssl/ca.pem"
FLANNEL_ETCD_CERTFILE="--etcd-certfile=/opt/kubernetes/ssl/flanneld.pem"
FLANNEL_ETCD_KEYFILE="--etcd-keyfile=/opt/kubernetes/ssl/flanneld-key.pem"
##复制配置到其它节点上
[root@linux-node1 ~]# scp /opt/kubernetes/cfg/flannel 118.190.201.12:/opt/kubernetes/cfg/
[root@linux-node1 ~]# scp /opt/kubernetes/cfg/flannel 118.190.201.13:/opt/kubernetes/cfg/6.设置Flannel系统服务
[root@linux-node1 ~]# vim /usr/lib/systemd/system/flannel.service
[Unit]
Description=Flanneld overlay address etcd agent
After=network.target
Before=docker.service
[Service]
EnvironmentFile=-/opt/kubernetes/cfg/flannel
ExecStartPre=/opt/kubernetes/bin/remove-docker0.sh
ExecStart=/opt/kubernetes/bin/flanneld ${FLANNEL_ETCD} ${FLANNEL_ETCD_KEY} ${FLANNEL_ETCD_CAFILE} ${FLANNEL_ETCD_CERTFILE} ${FLANNEL_ETCD_KEYFILE}
ExecStartPost=/opt/kubernetes/bin/mk-docker-opts.sh -d /run/flannel/docker
Type=notify
[Install]
WantedBy=multi-user.target
RequiredBy=docker.service
复制系统服务脚本到其它节点上
# scp /usr/lib/systemd/system/flannel.service 118.190.201.12:/usr/lib/systemd/system/
# scp /usr/lib/systemd/system/flannel.service 118.190.201.13:/usr/lib/systemd/system/5.2Flannel CNI集成
1.下载CNI插件
https://github.com/containernetworking/plugins/releases
[root@linux-node1 ~]# cd /usr/local/src/
[root@linux-node1 /usr/local/src]# wget https://github.com/containernetworking/plugins/releases/download/v0.7.1/cni-plugins-amd64-v0.7.1.tgz
[root@linux-node1 ~]# mkdir /opt/kubernetes/bin/cni ###所有节点创建
[root@linux-node1 src]# tar zxf cni-plugins-amd64-v0.7.1.tgz -C /opt/kubernetes/bin/cni
# scp -r /opt/kubernetes/bin/cni/* 118.190.201.12:/opt/kubernetes/bin/cni/
# scp -r /opt/kubernetes/bin/cni/* 118.190.201.13:/opt/kubernetes/bin/cni/2.创建Etcd的key(创建Pod的网段) 一台节点创建
/opt/kubernetes/bin/etcdctl --ca-file /opt/kubernetes/ssl/ca.pem --cert-file /opt/kubernetes/ssl/flanneld.pem --key-file /opt/kubernetes/ssl/flanneld-key.pem \
--no-sync -C https://118.190.201.11:2379,https://118.190.201.12:2379,https://118.190.201.13:2379 \
mk /kubernetes/network/config '{ "Network": "10.2.0.0/16", "Backend": { "Type": "vxlan", "VNI": 1 }}' >/dev/null 2>&13.启动flannel,所有节点
systemctl daemon-reload
systemctl enable flannel
chmod +x /opt/kubernetes/bin/*
systemctl start flannel
systemctl status flannel5.3配置Docker使用Flannel
[root@linux-node1 ~]# vim /usr/lib/systemd/system/docker.service
[Unit] #在Unit下面修改After和增加Requires
After=network-online.target firewalld.service flannel.service
Wants=network-online.target
Requires=flannel.service
[Service] #增加EnvironmentFile=-/run/flannel/docker
Type=notify
EnvironmentFile=-/run/flannel/docker
ExecStart=/usr/bin/dockerd $DOCKER_OPTS
1.将配置复制到另外两个阶段
# scp /usr/lib/systemd/system/docker.service 118.190.201.12:/usr/lib/systemd/system/
# scp /usr/lib/systemd/system/docker.service 118.190.201.13:/usr/lib/systemd/system/
2.重启Docker所有节点
systemctl daemon-reload
systemctl restart docker
systemctl status docker5.4 -创建第一个K8S应用
1.创建一个测试用的deployment
[root@linux-node1 ~]# kubectl run net-test --image=alpine --replicas=2 sleep 360000
2.查看获取IP情况
[root@linux-node1 ~]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE net-test-5767cb94df-75g7v 1/1 Running 0 39s 10.2.44.2 118.190.201.12 net-test-5767cb94df-m26r2 1/1 Running 0 39s 10.2.18.2 118.190.201.13
3.测试联通性
[root@linux-node1 ~]# ping 10.2.44.2
4.部署Nginx应用
[root@linux-node1 ~]# vim nginx-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.10.3
ports:
- containerPort: 80
创建容器
##创建容器
[root@linux-node1 ~]# kubectl create -f nginx-deployment.yaml
###查看
[root@linux-node1 ~]# kubectl get deployment
###查看deployment详情
[root@linux-node1 ~]# kubectl describe deployment nginx-deployment
###查看pod详情
[root@linux-node1 ~]# kubectl describe pod nginx-deployment-75d56bb955-7tbtx
[root@linux-node1 ~]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE
net-test-5767cb94df-75g7v 1/1 Running 0 2h 10.2.44.2 118.190.201.12
net-test-5767cb94df-m26r2 1/1 Running 0 2h 10.2.18.2 118.190.201.13
nginx-deployment-75d56bb955-524zh 1/1 Running 0 9m 10.2.44.3 118.190.201.12
nginx-deployment-75d56bb955-7tbtx 1/1 Running 0 9m 10.2.18.3 118.190.201.13
nginx-deployment-75d56bb955-gw28j 1/1 Running 0 9m 10.2.18.4 118.190.201.13
###测试pod访问
[root@linux-node1 ~]# curl -I http://10.2.44.3
HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Fri, 01 Feb 2019 12:43:11 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Tue, 31 Jan 2017 15:01:11 GMT
Connection: keep-alive
ETag: "5890a6b7-264"
Accept-Ranges: bytes
###更新deployment
[root@linux-node1 ~]# kubectl set image deployment/nginx-deployment nginx=nginx:1.12.2 --record ###--record记录日志
###查看更新后的Deployment
[root@linux-node1 ~]# kubectl get deployment -o wide
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
net-test 2 2 2 2 2h net-test alpine run=net-test
nginx-deployment 3 4 1 3 18m nginx nginx:1.12.2 app=nginx
###查看更新历史
kubectl rollout history deployment/nginx-deployment
###查看具体某一个版本的升级历史
kubectl rollout history deployment/nginx-deployment --revision=1
###快速回滚到上一个版本
kubectl rollout undo deployment/nginx-deployment1.创建Service(因为每次更新IP都会变动)
[root@linux-node1 ~]# vim nginx-services.yaml
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
###创建
[root@linux-node1 ~]# kubectl create -f nginx-services.yaml
###创建的service
[root@linux-node1 ~]# kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.1.0.1 <none> 443/TCP 14h
nginx-service ClusterIP 10.1.157.91 <none> 80/TCP 51s
###pod访问测试
~]# curl -I http://10.1.157.91 ###因为node1没有安装kube-proxy,所以需要在node2 node3节点上执行
[root@linux-node2 ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.1.0.1:443 rr persistent 10800
-> 118.190.201.11:6443 Masq 1 0 0
TCP 10.1.157.91:80 rr ###访问10.1.157.91:80之后转发到下面节点上
-> 10.2.18.6:80 Masq 1 0 0
-> 10.2.18.7:80 Masq 1 0 0
-> 10.2.44.6:80 Masq 1 0 0
###快速扩容
[root@linux-node1 ~]# kubectl scale deployment nginx-deployment --replicas 5
[root@linux-node1 ~]# kubectl get pod -o wide补充国内镜像: # –pod-infra-container-image=registry.cn-hangzhou.aliyuncs.com/google-containers/pause-amd64:3.0 \
如无特殊说明,文章均为本站原创,转载请注明出处
- 转载请注明来源:Kubernetes构建企业容器云入门篇
- 本文永久链接地址:https://www.xionghaier.cn/archives/959.html
该文章由 John 发布
