作者设置:由于当前各个常用镜像站无法正常代理下载镜像,这篇实验中所用到的镜像建议先从网络下载获取再导入到私仓使用,
或私信后台回复:9521 获取~ ~
另外这份实验材料总结下来出奇的字数多,提示超出字数,所以这篇分为了3章来发布
目录描述
- Kubernetes高可用集群部署架构要求说明
- Kubeadm部署Kubernetes v1.25.0高可用集群(一部分)
- Kubeadm部署Kubernetes v1.25.0高可用集群(二部分)
- Kubeadm部署Kubernetes v1.25.0高可用集群(完结)
8. 在第一个 master 节点初始化 Kubernetes 集群
kubeadm init 命令参考说明
--kubernetes-version:#kubernetes程序组件的版本号,它必须要与安装的kubelet程序包的版本号相同 --control-plane-endpoint:#多主节点必选项,用于指定控制平面的固定访问地址,可是IP地址或DNS名称,会被用于集群管理员及集群组件的kubeconfig配置文件的API Server的访问地址,如果是单主节点的控制平面部署时不使用该选项,注意:kubeadm 不支持将没有 --control-plane-endpoint 参数的单个控制平面集群转换为高可用性集群。 --pod-network-cidr:#Pod网络的地址范围,其值为CIDR格式的网络地址,通常情况下Flannel网络插件的默认为10.244.0.0/16,Calico网络插件的默认值为192.168.0.0/16 --service-cidr:#Service的网络地址范围,其值为CIDR格式的网络地址,默认为10.96.0.0/12;常,仅Flannel一类的网络插件需要手动指定该地址 --service-dns-domain string #指定k8s集群域名,默认为cluster.local,会自动通过相应的DNS服务实现解析 --apiserver-advertise-address:#API 服务器所公布的其正在监听的 IP 地址。如果未设置,则使用默认网络接口。apiserver通告给其他组件的IP地址,一般应该为Master节点的用于集群内部通信的IP地址,0.0.0.0表示此节点上所有可用地址,非必选项 --image-repository string #设置镜像仓库地址,默认为 k8s.gcr.io,此地址国内可能无法访问,可以指向国内的镜像地址 --token-ttl #共享令牌(token)的过期时长,默认为24小时,0表示永不过期;为防止不安全存储等原因导致的令牌泄露危及集群安全,建议为其设定过期时长。未设定该选项时,在token过期后,若期望再向集群中加入其它节点,可以使用如下命令重新创建token,并生成节点加入命令。kubeadm token create --print-join-command --ignore-preflight-errors=Swap” #若各节点未禁用Swap设备,还需附加选项“从而让kubeadm忽略该错误 --upload-certs #将控制平面证书上传到 kubeadm-certs Secret --cri-socket #v1.24版之后指定连接cri的socket文件路径,注意;不同的CRI连接文件不同 #如果是cRI是containerd,则使用--cri-socket unix:///run/containerd/containerd.sock #如果是cRI是docker,则使用--cri-socket unix:///var/run/cri-dockerd.sock #如果是CRI是CRI-o,则使用--cri-socket unix:///var/run/crio/crio.sock #注意:CRI-o与containerd的容器管理机制不一样,所以镜像文件不能通用。
在第一个 master 节点初始化集群
root@master1ha1:~# kubeadm init --control-plane-endpoint="vip" --kubernetes-version=v1.25.0 --pod-network-cidr=10.244.0.0/16 --service-cidr=10.96.0.0/12 --token-ttl=0 --cri-socket unix:///run/cri-dockerd.sock --image-repository registry.aliyuncs.com/google_containers --upload-certs Your Kubernetes control-plane has initialized successfully! To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config Alternatively, if you are the root user, you can run: export KUBECONFIG=/etc/kubernetes/admin.conf You should now deploy a pod network to the cluster. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/ You can now join any number of the control-plane node running the following command on each as root: kubeadm join vip:6443 --token j4egyy.1a21ssudorgo8d3k \ --discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17 \ --control-plane --certificate-key 5c2740a120bd93bd1fbcc61a1ca9878ec1ef3436b3277bf91edc5d11fccb3f7c Please note that the certificate-key gives access to cluster sensitive data, keep it secret! As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use "kubeadm init phase upload-certs --upload-certs" to reload certs afterward. Then you can join any number of worker nodes by running the following on each as root: kubeadm join vip:6443 --token j4egyy.1a21ssudorgo8d3k \ --discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17
如果想重新初始化,可以执行下面
#如果有工作节点,先在工作节点执行,再在control节点执行下面操作 kubeadm reset -f --cri-socket unix:///run/cri-dockerd.sock rm -rf /etc/cni/net.d/ $HOME/.kube/config reboot
9. 在第一个master节点生成kubectl命令的授权文件
kubectl是kube-apiserver的命令行客户端程序,实现了除系统部署之外的几乎全部的管理操作,是kubernetes管理员使用最多的命令之一。kubectl需经由API server认证及授权后方能执行相应的管理操作,kubeadm部署的集群为其生成了一个具有管理员权限的认证配置文件/etc/kubernetes/admin.conf,它可由kubectl通过默认的“$HOME/.kube/config”的路径进行加载。当然,用户也可在kubectl命令上使用--kubeconfig选项指定一个别的位置。
下面复制认证为Kubernetes系统管理员的配置文件至目标用户(例如当前用户root)的家目录下:
#可复制8步骤初始化完成的结果执行下面命令 mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config
10. 实现 kubectl 命令补全
kubectl 命令功能丰富,默认不支持命令补会,可以用下面方式实现
kubectl completion bash > /etc/profile.d/kubectl_completion.sh . /etc/profile.d/kubectl_completion.sh
11. 在第一个 master 节点配置网络组件
Kubernetes系统上Pod网络的实现依赖于第三方插件进行,这类插件有近数十种之多,较为著名的有flannel、calico、canal和kube-router等,简单易用的实现是为CoreOS提供的flannel项目。下面的命令用于在线部署flannel至Kubernetes系统之上
首先,下载适配系统及硬件平台环境的flanneld至每个节点,并放置于/opt/bin/目录下。(这句话没理解?!)
我们这里选用flanneld-amd64,版本为v0.20.1,因而,我们需要在集群的每个节点上执行如下命令:
提示:下载flanneld的地址为 https://github.com/flannel-io/flannel/releases
#节点加入集群后,节点信息为NotReady,各主机节点及容器暂无法进行相互连接通信,因为默认没有网络插件还需要安装网络插件集群才能正常通信 root@master1ha1:~# kubectl get nodes NAME STATUS ROLES AGE VERSION master1ha1 NotReady control-plane 41m v1.25.0
#flannel部署方法一: root@master1ha1:~# curl -LO https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml root@master1ha1:~# kubectl apply -f kube-flannel.yml #flannel部署方法二: #https://raw.githubusercontent.com/网站在国内无法访问,没有科技上网的同学看这里 #可以去https://github.com/coreos/flannel/releases官方仓库,下载flannel导入到docker中 root@master1ha1:~# docker load < flanneld-v0.20.1-amd64.docker 7df5bd7bd262: Loading layer [==================================================>] 5.904MB/5.904MB d9d153cdaf1f: Loading layer [==================================================>] 12.39MB/12.39MB 40b9707e1723: Loading layer [==================================================>] 2.743MB/2.743MB 5f0bea3b3211: Loading layer [==================================================>] 39.36MB/39.36MB 597dd779670d: Loading layer [==================================================>] 5.632kB/5.632kB c58e46b8b3ff: Loading layer [==================================================>] 9.728kB/9.728kB b35dfde5fcb3: Loading layer [==================================================>] 8.704kB/8.704kB Loaded image: quay.io/coreos/flannel:v0.20.1-amd64 #获取一个kube-flannel.yml文件 curl -LO https://raw.githubusercontent.com/flannel-io/flannel/master/Documentation/kube-flannel.yml #把kube-flannel.yml里的image改成本地镜像,主要有三块,下面有贴图,详看 #最后就可以apply了,这里我把kube-flannel.yml名字改成kube-flannel-v0.20.1.yml了 root@master1ha1:~# kubectl apply -f kube-flannel-v0.20.1.yml namespace/kube-flannel created clusterrole.rbac.authorization.k8s.io/flannel created clusterrolebinding.rbac.authorization.k8s.io/flannel created serviceaccount/flannel created configmap/kube-flannel-cfg created daemonset.apps/kube-flannel-ds created root@master1ha1:~# kubectl get pod -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-flannel kube-flannel-ds-794hb 1/1 Running 0 73s kube-system coredns-c676cc86f-k9hm2 1/1 Running 0 24h kube-system coredns-c676cc86f-wgjdp 1/1 Running 0 24h kube-system etcd-master1ha1 1/1 Running 3 (14h ago) 24h kube-system kube-apiserver-master1ha1 1/1 Running 3 (24m ago) 24h kube-system kube-controller-manager-master1ha1 1/1 Running 3 (14h ago) 24h kube-system kube-proxy-pkt88 1/1 Running 3 (14h ago) 24h kube-system kube-scheduler-master1ha1 1/1 Running 4 (14h ago) 24h root@master1ha1:~# kubectl describe pod kube-flannel-ds-794hb -n kube-flannel
image: m.daocloud.io/docker.io/flannel/flannel-cni-plugin:v1.1.0
#上面表示运行正常了,稍等一会儿,可以看到节点状态Ready root@master1ha1:~# kubectl get nodes NAME STATUS ROLES AGE VERSION master1ha1 Ready control-plane 24h v1.25.0 #注意:如果已经下载了部分插件,那么就得执行下删除命令,删除后,再重新下载 #卸载finnel插件命令 #第一步,在节点删除flannel kubectl delete -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml #第二步,在node节点清理flannel网络留下的文件 ifconfig cni0 down ip link delete cni0 ifconfig flannel.1 down ip link delete flannel.1 rm -rf /var/lib/cni/ rm -f /etc/cni/net.d/* #注:执行完上面的操作,重启kubelet systemctl restart kubelet
这部分吐槽:flannel在安装这块真不如Calico方便,前面有文章发,有兴趣的可以翻一下
12. 将所有 node节点加入Kubernetes集群
在所有node节点执行下面操作,加上集群
#在 master1 上查看加入节点的命令 root@master1ha1:~# kubeadm token create --print-join-command kubeadm join vip:6443 --token hb7wgu.278gisn7n9fx18d4 --discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17 #上述命令额外添加--cri-socket选项,在所有的node节点执行 root@node1:~# kubeadm join vip:6443 --token hb7wgu.278gisn7n9fx18d4 --discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17 --cri-socket unix:///run/cri-dockerd.sock 回显如下表示加入集群成功,可以在master节点查询状态 This node has joined the cluster: * Certificate signing request was sent to apiserver and a response was received. * The Kubelet was informed of the new secure connection details. Run 'kubectl get nodes' on the control-plane to see this node join the cluster. #在master节点查询node节点状态 root@master1ha1:~# kubectl get nodes NAME STATUS ROLES AGE VERSION master1ha1 Ready control-plane 5d8h v1.25.0 node1 Ready <none> 4d2h v1.25.0 node2 Ready <none> 53s v1.25.0
13. 测试应用编排及服务访问
至此1个master附带有2个node的kubernetes集群基础设施已经部署完成,随后即可测试其核心功能。这样以demoapp演示,它是一个web应用,可将demoapp以Pod的形式编排运行于集群之上,并通过在集群外部进行访问:
#创建一个yaml配置,下面是说明 root@master1ha1:~# vim demoapp-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: demoapp spec: replicas: 2 selector: matchLabels: app: demoapp template: metadata: labels: app: demoapp spec: containers: - name: demoapp image: registry.cn-hangzhou.aliyuncs.com/guang_demo/qwer:ik8s-demoappv1.0 imagePullPolicy: IfNotPresent ports: - containerPort: 80 #生成pod root@master1ha1:~# kubectl apply -f demoapp-deployment.yaml deployment.apps/demoapp created #查看2个pod已经均衡到2个noed上,并且运行 root@master1ha1:~# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES demoapp-75586749f8-pmbhf 1/1 Running 0 3m52s 10.244.1.31 node1 <none> <none> demoapp-75586749f8-wlhkt 1/1 Running 0 3m52s 10.244.2.26 node2 <none> <none> #测试访问2个pod root@master1ha1:~# curl 10.244.1.31 iKubernetes demoapp v1.0 !! ClientIP: 10.244.1.1, ServerName: demoapp-75586749f8-pmbhf, ServerIP: 10.244.1.31! root@master1ha1:~# curl 10.244.1.26 iKubernetes demoapp v1.0 !! ClientIP: 10.244.1.1, ServerName: demoapp-75586749f8-wlhkt, ServerIP: 10.244.1.26! #使用如下命令了解Service对象demoapp使用的NodePort,格式:<集群端口>:<POd端口>,以便于在集群外部进行访问 root@master1ha1:~# kubectl create service nodeport demoapp --tcp=80:80 root@master1ha1:~# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE demoapp NodePort 10.105.4.244 <none> 80:32590/TCP 13s kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 21d root@master1ha1:~# curl 10.105.4.244 iKubernetes demoapp v1.0 !! ClientIP: 10.244.1.1, ServerName: ddemoapp-75586749f8-wlhkt, ServerIP: 10.244.1.26! root@master1ha1:~# curl 10.105.4.244 iKubernetes demoapp v1.0 !! ClientIP: 10.244.1.1, ServerName: demoapp-75586749f8-pmbhf, ServerIP: 10.244.1.31! #用户可以于集群外部通过“http://NodeIP:32590”这个URL访问demoapp上的应用,例如于集群外通过浏览器访问“http://<kubernetes-node>:32590”。 root@master1ha1:~# curl 192.168.157.100:32590 iKubernetes demoapp v1.0 !! ClientIP: 10.244.1.1, ServerName: ddemoapp-75586749f8-wlhkt, ServerIP: 10.244.1.26! root@master1ha1:~# curl 192.168.157.100:32590 iKubernetes demoapp v1.0 !! ClientIP: 10.244.1.1, ServerName: demoapp-75586749f8-pmbhf, ServerIP: 10.244.1.31! #1、pod的扩容(这里只记录命令,比较简单) root@master1ha1:~# vim demoapp-deployment.yaml spec: replicas: 4 把replicas参数值,由 2 往上加到 4 ,就代表由 2 pod 扩容到 4 个pod root@master1ha1:~# kubectl apply -f demoapp-deployment.yaml deployment.apps/demoapp created root@master1ha1:~# kubectl get pod -o wide #可以看到有新的pod开始准备中 #2、pod的缩容(这里只记录命令,比较简单) root@master1ha1:~# vim demoapp-deployment.yaml spec: replicas: 1 把replicas参数值,由 4 往下减到 1 ,就代表由 4 pod 缩容到 1 个pod root@master1ha1:~# kubectl apply -f demoapp-deployment.yaml deployment.apps/demoapp created root@master1ha1:~# kubectl get pod -o wide #可以看到销毁pod的过程 root@master1ha1:~# kubectl get pod -o wide #再次查看,最终缩容成功,剩余1个pod
14. 将剩余2个master节点加入Kubernetes集群
将 剩余2个master节点加入Kubernetes集群,来扩展Kubernetes集群为多主模式
#在 master1 上查看加入节点的命令 root@master1ha1:~# kubeadm token create --print-join-command kubeadm join vip:6443 --token eeyg8g.1wydhq9vtcvdhx9r --discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17 #上述命令额外添加--cri-socket选项,在待加入的2个节点执行 root@master2ha2:~# kubeadm join vip:6443 --token eeyg8g.1wydhq9vtcvdhx9r --discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17 --cri-socket unix:///run/cri-dockerd.sock root@master3harbor1:~# kubeadm join vip:6443 --token eeyg8g.1wydhq9vtcvdhx9r --discovery-token-ca-cert-hash sha256:6a91882c8d6244a32ae616a43e78634b76db4997794a4064554a5c0d11627c17 --cri-socket unix:///run/cri-dockerd.sock 回显如下表示加入集群成功,可以在master首节点查询状态 This node has joined the cluster: * Certificate signing request was sent to apiserver and a response was received. * The Kubelet was informed of the new secure connection details. Run 'kubectl get nodes' on the control-plane to see this node join the cluster. #在master2和master3节点上执行 cd /root && mkdir -p /etc/kubernetes/pki/etcd &&mkdir –p ~/.kube/ #把 master1 节点的证书拷贝到 master2和master3上: for i in {102..103};do scp /etc/kubernetes/pki/ca.crt 192.168.157.$i:/etc/kubernetes/pki/ ; scp /etc/kubernetes/pki/ca.key 192.168.157.$i:/etc/kubernetes/pki/ ; scp /etc/kubernetes/pki/sa.key 192.168.157.$i:/etc/kubernetes/pki/ ; scp /etc/kubernetes/pki/sa.pub 192.168.157.$i:/etc/kubernetes/pki/ ; scp /etc/kubernetes/pki/front-proxy-ca.crt 192.168.157.$i:/etc/kubernetes/pki/ ; scp /etc/kubernetes/pki/front-proxy-ca.key 192.168.157.$i:/etc/kubernetes/pki/ ; scp /etc/kubernetes/pki/etcd/ca.crt 192.168.157.$i:/etc/kubernetes/pki/etcd/ ; scp /etc/kubernetes/pki/etcd/ca.key 192.168.157.$i:/etc/kubernetes/pki/etcd/ ; done #在master节点查询node,可以看到已加入 root@master1ha1:~# kubectl get nodes master1ha1 Ready control-plane 21d v1.25.0 master2ha2 Ready <none> 2m20s v1.25.0 master3harbor1 Ready <none> 2m19s v1.25.0 node1 Ready <none> 20d v1.25.0 node2 NotReady <none> 15d v1.25.0 #内存不够了,把node2先关机了
最后:
挺无语的,这次1.25版本的搭建,没有想象中那么顺利!!
最后~欢迎关注我! @Linux学习的那些事儿
我的个人资源整理,满满都是干货: → 可按需访问领取
如果本文对你有帮助,欢迎点赞、收藏、转发给朋友,让我有持续创作的动力!
