三台:
cd /etc/yum.repos.d
swapoff -a
sed -i '/swap/s/^/#/' /etc/fstab
cat << EOF >> /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p
cat < /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
yum install -y kubelet kubeadm kubectl
systemctl enable kubelet
master:
cd
kubeadm config print init-defaults > init-config.yaml
vim init-config.yaml
修改以下内容:
第12行:192.168.1.10
第32行:registry.aliyuncs.com/google_containers
第37行:192.168.2.0/24
scp /root/init-config.yaml 192.168.1.11:/root/
scp /root/init-config.yaml 192.168.1.12:/root/
阿里云加速docker拉取镜像(否则下载镜像时,会很慢会卡顿):
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://aq63ygn3.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
kubeadm config images list --config init-config.yaml
kubeadm config images pull --config=init-config.yaml
kubeadm init --config=init-config.yaml
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
node1和node2复制上面显示的内容并运行:
例如:
kubeadm join 192.168.1.10:6443 --token abcdef.0123456789abcdef \ --discovery-token-ca-cert-hash xxx4
可能遇到的错误:
ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables 设置错误导致kubeadm安装k8s失败
echo "1">/proc/sys/net/bridge/bridge-nf-call-iptables
echo "1">/proc/sys/net/bridge/bridge-nf-call-ip6tables
部署 Calico 网络插件
kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
kubectl get pods -n kube-system
删除步骤:
删除K8s对象
kubectl delete -f calico.yaml
检查所有节点上的网络,看看是否存在Tunl0
ip addr show
如果有Tunl0,将其删除
modprobe -r ipip
移除Calico配置文件
ls /etc/cni/net.d/
看看是否存在Calico相关的文件和目录,如:10-calico.conflist, calico-kubeconfig, calico-tls,如果有将其移除。
这时候整个Calico移除成功。
执行以下命令使确认所有正在运行 Pod 与 Node
kubectl get nodes
kubectl get pod --all-namespaces
创建服务
kubectl create ns policy-demo
kubectl run --namespace=policy-demo nginx --replicas=2 --image=nginx
vim nginx-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: policy-demo
labels:
app: nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
kubectl apply -f nginx-deployment.yaml
kubectl expose --namespace=policy-demo deployment nginx --port=80
kubectl get all -n policy-demo
kubectl run --namespace=policy-demo access --rm -ti --image busybox
/bin/sh
wget -q nginx -O -
<!DOCTYPE html>
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
kubectl create ns adv-policy-demo
vim nginx-dep.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: adv-policy-demo
labels:
app: nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
kubectl apply -f nginx-dep.yaml
kubectl expose --namespace=adv-policy-demo deployment nginx --port=80
kubectl run --namespace=adv-policy-demo access --rm -ti --image busybox
/bin/sh
wget -q --timeout=5 nginx -O -
拒绝所有入口流量:
vim k8s.deny-all-input.yaml
添加内容:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: adv-policy-demo
spec:
podSelector:
matchLabels: {}
policyTypes:
- Ingress
kubectl create -f k8s.deny-all-input.yaml
kubectl run --namespace=adv-policy-demo access --rm -ti --image busybox
/bin/sh
wget -q --timeout=5 nginx -O -
允许进入nginx的流量
vim k8s.allow-input.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: access-nginx
namespace: adv-policy-demo
spec:
podSelector:
matchLabels:
app: nginx
ingress:
- from:
- podSelector:
matchLabels: {}
kubectl create -f k8s.allow-input.yaml
kubectl run --namespace=adv-policy-demo access --rm -ti --image busybox
/bin/sh
wget -q --timeout=5 nginx -O -
K8集群重新初始化:
master:
kubeadm reset
kubeadm init --config init-config.yaml --upload-certs
node1和node2(恢复快照重新安装软件):
cd /etc/yum.repo
swapoff -a
sed -i '/swap/s/^/#/' /etc/fstab
cat << EOF >> /etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl -p
cat < /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg
https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
yum install -y kubelet kubeadm kubectl
systemctl enable kubelet
node1和node2重新复制上面显示的内容并运行:
例如:
kubeadm join 192.168.1.11:6443 --token abcdef.0123456789abcdef \ --discovery-token-ca-cert-hash sha256:xxx
master
rm -rf $HOME/.kube
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
