- 概述
- 安装前提示
- 安装docker
- 安装kubeadm
- 安装kubernete集群master节点
- 安装 kubeadm/kubectl/kubelet组件
- 安装kubernete master节点
- 安装CNI网络插件
- 部署集群worker节点
- 安装dashboard
- 总结
kubeadm是一个部署kubernete集群的非常易用的工具,只需要2条命令kubeadm init和kubeadm join就可以搭建起kubernete的集群。它采用的方案是把kubelete直接部署在宿主机上,其他组件部署在容器中。
hostname |
内存 |
操作系统 |
虚拟类型 |
master |
4G |
2核 |
centos7 |
vmware |
worker1 |
4G |
2核 |
centos7 |
vmware |
3.安装系统时network里面的ens33要选择connection,如下图。不然安装安装后ens33没有ip地址,需要命令修改文件/etc/sysconfig/network-scripts/ifcfg-ens33中onboot=yes,之后执行命令service network restart
4.安装kubelet kubeadm kubectl组件时最好指定版本,阿里云不一定有最新版本,本文采用v1.17.3,详见后面内容。
docker-ce-17.03.2.ce-1.el7.centos.x86_64.rpm docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch.rpm
rpm -ivh docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch.rpm rpm -ivh docker-ce-17.03.2.ce-1.el7.centos.x86_64.rpm
yum install docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch.rpm yum install docker-ce-17.03.2.ce-1.el7.centos.x86_64.rpm
[root@worker1 docker]# rpm -ivh docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch.rpm warning: docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch.rpm: Header V4 RSA/SHA512 Signature, key ID 621e9f35: NOKEY Preparing... ################################# [100%] Updating / installing... 1:docker-ce-selinux-17.03.2.ce-1.el################################# [100%] Re-declaration of type docker_t Failed to create node Bad type declaration at /etc/selinux/targeted/tmp/modules/400/docker/cil:1 /usr/sbin/semodule: Failed! restorecon: lstat(/var/lib/docker) failed: No such file or directory warning: %post(docker-ce-selinux-17.03.2.ce-1.el7.centos.noarch) scriptlet failed, exit status 255 [root@worker1 docker]# rpm -ivh docker-ce-17.03.2.ce-1.el7.centos.x86_64.rpm warning: docker-ce-17.03.2.ce-1.el7.centos.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 621e9f35: NOKEY Preparing... ################################# [100%] Updating / installing... 1:docker-ce-17.03.2.ce-1.el7.centos################################# [100%] [root@worker1 docker]# docker -v Docker version 17.03.2-ce, build f5ec1e2
systemctl start docker.service
cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF
yum install -y kubelet kubeadm kubectl
kubeadm init
再次执行kubeadm init命令,报如下错误:
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables swapoff -a
kubeadm init --image-repository registry.aliyuncs.com/google_containers
yum remove kubeadm.x86_64 kubectl.x86_64 kubelet.x86_64
yum install -y kubelet-1.17.3 kubeadm-1.17.3 kubectl-1.17.3
kubeadm init --image-repository registry.cn-hangzhou.aliyuncs.com/google_conta
kubeadm init --image-repository registry.aliyuncs.com/google_containers --kubernetes-version=v1.17.3 --pod-network-cidr=
[root@master docker]# kubeadm init --image-repository registry.aliyuncs.com/google_containers --kubernetes-version=v1.17.3 --pod-network-cidr= W0528 09:08:40.669505 24739 validation.go:28] Cannot validate kube-proxy config - no validator is available W0528 09:08:40.669664 24739 validation.go:28] Cannot validate kubelet config - no validator is available [init] Using Kubernetes version: v1.17.3 [preflight] Running pre-flight checks [WARNING Firewalld]: firewalld is active, please ensure ports [6443 10250] are open or your cluster may not function correctly [WARNING Service-Docker]: docker service is not enabled, please run 'systemctl enable docker.service' [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/ [WARNING Hostname]: hostname "master" could not be reached [WARNING Hostname]: hostname "master": lookup master on server misbehaving [WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service' [preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using 'kubeadm config images pull' [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Starting the kubelet [certs] Using certificateDir folder "/etc/kubernetes/pki" [certs] Generating "ca" certificate and key [certs] Generating "apiserver" certificate and key [certs] apiserver serving cert is signed for DNS names [master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [] [certs] Generating "apiserver-kubelet-client" certificate and key [certs] Generating "front-proxy-ca" certificate and key [certs] Generating "front-proxy-client" certificate and key [certs] Generating "etcd/ca" certificate and key [certs] Generating "etcd/server" certificate and key [certs] etcd/server serving cert is signed for DNS names [master localhost] and IPs [ ::1] [certs] Generating "etcd/peer" certificate and key [certs] etcd/peer serving cert is signed for DNS names [master localhost] and IPs [ ::1] [certs] Generating "etcd/healthcheck-client" certificate and key [certs] Generating "apiserver-etcd-client" certificate and key [certs] Generating "sa" key and public key [kubeconfig] Using kubeconfig folder "/etc/kubernetes" [kubeconfig] Writing "admin.conf" kubeconfig file [kubeconfig] Writing "kubelet.conf" kubeconfig file [kubeconfig] Writing "controller-manager.conf" kubeconfig file [kubeconfig] Writing "scheduler.conf" kubeconfig file [control-plane] Using manifest folder "/etc/kubernetes/manifests" [control-plane] Creating static Pod manifest for "kube-apiserver" [control-plane] Creating static Pod manifest for "kube-controller-manager" W0528 09:08:55.439922 24739 manifests.go:214] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC" [control-plane] Creating static Pod manifest for "kube-scheduler" W0528 09:08:55.442026 24739 manifests.go:214] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC" [etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests" [wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s [kubelet-check] Initial timeout of 40s passed. [apiclient] All control plane components are healthy after 217.504294 seconds [upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace [kubelet] Creating a ConfigMap "kubelet-config-1.17" in namespace kube-system with the configuration for the kubelets in the cluster [upload-certs] Skipping phase. Please see --upload-certs [mark-control-plane] Marking the node master as control-plane by adding the label "node-role.kubernetes.io/master=''" [mark-control-plane] Marking the node master as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule] [bootstrap-token] Using token: kw377c.z478de8wq0i41ksq [bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials [bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token [bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster [bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace [kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key [addons] Applied essential addon: CoreDNS [addons] Applied essential addon: kube-proxy Your Kubernetes control-plane has initialized successfully! To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config You should now deploy a pod network to the cluster. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/ Then you can join any number of worker nodes by running the following on each as root: kubeadm join --token kw377c.z478de8wq0i41ksq \ --discovery-token-ca-cert-hash sha256:d32410d53b7b4546dd4cc4967b8e2c7779d5fd9244c8342b7f8ffa16e855a12f
[root@localhost docker]# kubectl get pods --all-namespaces The connection to the server localhost:8080 was refused - did you specify the right host or port?
mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config
执行这3条命令的原因是:Kubernetes 集群默认需要加密方式访问。将刚刚部署生成的 Kubernetes 集群的安全配置文件,保存到当前用户的.kube 目录下,kubectl 默认就会使用这个目录下的授权信息访问 Kubernetes 集群。
如果遇到问题:Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes") 也可以执行上面命令解决
[root@localhost docker]# kubectl get pods --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE kube-system coredns-9d85f5447-c9vg5 0/1 Pending 0 19h kube-system coredns-9d85f5447-w4w9n 0/1 Pending 0 19h kube-system etcd-localhost.localdomain 1/1 Running 0 19h kube-system kube-apiserver-localhost.localdomain 1/1 Running 0 19h kube-system kube-controller-manager-localhost.localdomain 1/1 Running 1 19h kube-system kube-proxy-zvq6z 1/1 Running 0 19h kube-system kube-scheduler-localhost.localdomain 1/1 Running
[root@localhost docker]# kubectl get nodes NAME STATUS ROLES AGE VERSION Master NotReady master 20h v1.17.3
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
[root@localhost k8s]# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE coredns-9d85f5447-lcs5s 0/1 Running 0 5m31s coredns-9d85f5447-wllzv 0/1 Running 0 5m31s etcd-localhost.localdomain 1/1 Running 0 5m40s kube-apiserver-localhost.localdomain 1/1 Running 0 5m40s kube-controller-manager-localhost.localdomain 1/1 Running 0 5m40s kube-flannel-ds-amd64-9vv4m 1/1 Running 0 38s kube-proxy-qv6z5 1/1 Running 0 5m31s kube-scheduler-localhost.localdomain 1/1 Running 0 5m40s
[root@localhost flannel]# kubectl get node NAME STATUS ROLES AGE VERSION master Ready master 3m20s v1.17.3
注意:在部署过程中,可以会遇到网络失败的问题,这时候如果各种命令都不好解决,可以执行kubeadm reset 之后重新执行init过程
部署worker节点比部署master节点简单,不用运行 kube-apiserver、kube-scheduler、kube-controller-manger这3个节点。
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables swapoff -a
kubeadm join --token kw377c.z478de8wq0i41ksq --discovery-toke
systemctl stop firewalld service iptables stop
[root@localhost pki]# kubeadm join --token kw377c.z478de8wq0i41ksq --discovery-token-ca-cert-hash sha256:d32410d53b7b4546dd4cc4967b8e2c7779d5fd9244c8342b7f8ffa16e855a12f W0527 13:15:35.059010 18952 join.go:346] [preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set. [preflight] Running pre-flight checks [preflight] Reading configuration from the cluster... [preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' [kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.17" ConfigMap in the kube-system namespace [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Starting the kubelet [kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap... [kubelet-check] Initial timeout of 40s passed. [kubelet-check] It seems like the kubelet isn't running or healthy. [kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10248/healthz' failed with error: Get http://localhost:10248/healthz: dial tcp [::1]:10248: connect: connection refused. [kubelet-check] It seems like the kubelet isn't running or healthy. [kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10248/healthz' failed with error: Get http://localhost:10248/healthz: dial tcp [::1]:10248: connect: connection refused. [kubelet-check] It seems like the kubelet isn't running or healthy. [kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10248/healthz' failed with error: Get http://localhost:10248/healthz: dial tcp [::1]:10248: connect: connection refused. [kubelet-check] It seems like the kubelet isn't running or healthy. [kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10248/healthz' failed with error: Get http://localhost:10248/healthz: dial tcp [::1]:10248: connect: connection refused. [kubelet-check] It seems like the kubelet isn't running or healthy. [kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10248/healthz' failed with error: Get http://localhost:10248/healthz: dial tcp [::1]:10248: connect: connection refused. Unfortunately, an error has occurred: timed out waiting for the condition This error is likely caused by: - The kubelet is not running - The kubelet is unhealthy due to a misconfiguration of the node in some way (required cgroups disabled) If you are on a systemd-powered system, you can try to troubleshoot the error with the following commands: - 'systemctl status kubelet' - 'journalctl -xeu kubelet' error execution phase kubelet-start: timed out waiting for the condition To see the stack trace of this error execute with --v=5 or higher
从日志中可以看出,kubelete启动异常,这个原因是因为这个虚机上我之前搭建过minikube。我尝试了多种方式删除之前的环境,但是都没有成功。只能重新装系统了。我给这个虚机重新装了系统后,重新安装docker,kubeadm,之后执行kubectl join命令,结果如下:
[root@worker1 ~]# kubeadm join --token kw377c.z478de8wq0i41ksq --discovery-token-ca-cert-hash sha256:d32410d53b7b4546dd4cc4967b8e2c7779d5fd9244c8342b7f8ffa16e855a12f W0528 21:57:11.003270 16810 join.go:346] [preflight] WARNING: JoinControlPane.controlPlane settings will be ignored when control-plane flag is not set. [preflight] Running pre-flight checks [WARNING Service-Docker]: docker service is not enabled, please run 'systemctl enable docker.service' [WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/ [WARNING Hostname]: hostname "worker1" could not be reached [WARNING Hostname]: hostname "worker1": lookup worker1 on server misbehaving [WARNING Service-Kubelet]: kubelet service is not enabled, please run 'systemctl enable kubelet.service' [preflight] Reading configuration from the cluster... [preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml' [kubelet-start] Downloading configuration for the kubelet from the "kubelet-config-1.17" ConfigMap in the kube-system namespace [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Starting the kubelet [kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap... This node has joined the cluster: * Certificate signing request was sent to apiserver and a response was received. * The Kubelet was informed of the new secure connection details. Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
在master节点上执行kubectl get nodes结果如下:
[root@master ~]# kubectl get node NAME STATUS ROLES AGE VERSION master Ready master 12h v1.17.3 worker1 Ready <none> 29s v1.17.3
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.
[root@master kubernetes]# kubectl logs kubernetes-dashboard-64999dbccd-gmk5x --namespace=kubernetes-dashboard Error from server: Get dial tcp connect: no route to host
initializing csrf token from kubernetes-dashboard-csrf secret panic: Get https://10
改好yaml文件后,执行kubectl apply -f recommended.yaml 安装成功
kubectl create serviceaccount dashboard-admin -n kube-system kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk ‘/dashboard-admin/{print $1}‘)
Type: kubernetes.io/service-account-token Data ==== ca.crt: 1025 bytes namespace: 11 bytes token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkF5bjJEM3g0cjJCS282TlNCcjU0aVdTRE4wT0JqaE05LUxuODlTRFVkR1UifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjbHVzdGVycm9sZS1hZ2dyZWdhdGlvbi1jb250cm9sbGVyLXRva2VuLWs2ejd2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImNsdXN0ZXJyb2xlLWFnZ3JlZ2F0aW9uLWNvbnRyb2xsZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI2OWMyN2NlYy04MDY5LTRkOWItOTdkNi1lZjVjMzk5NGI1Y2IiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06Y2x1c3RlcnJvbGUtYWdncmVnYXRpb24tY29udHJvbGxlciJ9.BFORGRlEK7i7kPvGnDQDZKr5ow6feuWWymhor_BPecd1YUUMXnwDy9JvPPUizHMQnRxmA4HO-WlRcAcYXOFsWBQ9fz3KqLQuSJEDICz128XyA5bUEesS_MKqGTh7p4drc2OuduW7EHm2_UEs8g9SUeogTrp9JksQlEXUoln5TnactpzMr2J6w3hPKO85z3eUv_14f240kfYgN0jR6Q9owlDEcG27onNlDHvT2hGNs-9IJaBFSuPobf7zuJLY4GR2qkLGclszgFKHGsl8NObrS2c5_Ep7iQBBfw4STTCzuW5tG9gNKWzwXKwAnJTM2wu6oePBJ34df6rGAjzjXNlvHg Name: coredns-token-z26jv Namespace: kube-system Labels: <none> Annotations: kubernetes.io/service-account.name: coredns kubernetes.io/service-account.uid: ddd1ae67-1045-4674-8277-11f4ccee2e65 Type: kubernetes.io/service-account-token