在 master 节点配置集群
在 master 上新建 jerry 用户:
$ useradd jerry # 添加新用户 jerry
$ passwd jerry # 给用户设置密码
1
2
给新建用户 jerry 添加超级权限,编辑 /etc/sudoers 文件:
$ vi /etc/sudoers
1
在 /etc/sudoers 文件中找到 root ALL=(ALL) ALL,然后在其下一行添加 jerry ALL=(ALL) ALL,然后输入 wq! 命令保存退出。
切换到 jerry 用户:
$ su - jerry
$ mkdir -p $HOME/.kube
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
如果没有给 jerry 用户添加超级权限,则在执行超级权限的命令的时候会提示无法执行 jerry is not in the sudoers file. This incident will be reported.
之后使用 kubectl 命令均需在非 root 用户下执行。
- 在 master 节点上安装 pod 网络
以 jerry 用户执行,添加 flannel 网络:
$ kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
podsecuritypolicy.policy/psp.flannel.unprivileged created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.apps/kube-flannel-ds created
查看节点,当前只有 master 节点:
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 11h v1.19.0
1
2
3
需要将 node 节点添加到 kubernetes 网络中。
- 添加 node 节点
在前文执行 master 初始化操作的时候,在最后的输出信息中提示可以将 node 节点加入到 kubernetes 网络中,在 node 节点上执行以下命令:
$ kubeadm join 172.31.117.60:6443 --token 3wfvhr.zcstqjk1cr3ehft4 --discovery-token-ca-cert-hash sha256:07e2d554d807a5012a9dba6718b28081be235c2826ae2ffd0ee4c38a344f98f4
[preflight] Running pre-flight checks
[WARNING IsDockerSystemdCheck]: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/
[WARNING SystemVerification]: this Docker version is not on the list of validated versions: 20.10.5. Latest validated version: 19.03[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
This node has joined the cluster:
- Certificate signing request was sent to apiserver and a response was received.
- The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
如果没有记录 token 则可以在 master 节点上列出所有 token:
$ kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
3wfvhr.zcstqjk1cr3ehft4 11h 2021-03-05T22:52:54+08:00 authentication,signing The default bootstrap token generated by 'kubeadm init'. system:bootstrappers:kubeadm:default-node-token
TTL 表示该 token 的有效期,表示还有 11 小时过期,默认新生成的 token 有效期为 24 小时。如果显示 token 过期,或者无 token 则可以重新生成 token:
$ kubeadm token create
W0306 15:29:51.837213 30203 configset.go:348] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
76mnmd.rips0ooplhrww3ur
获取密钥哈希值,即 discovery-token-ca-cert-hash:
$ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
07e2d554d807a5012a9dba6718b28081be235c2826ae2ffd0ee4c38a344f98f4
在 master 上获取 kubernetes 节点信息:
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready master 12h v1.19.0
k8s-node1 Ready 6m6s v1.19.0
