操作系统
Ubuntu 16.04+、Debian 9、CentOS 7、RHEL 7、Fedora 25/26 (best-effort)、其他
内存2GB + ,2核CPU +
集群节点之间可以通信
每个节点唯一主机名,MAC地址和product_uuid
检查MAC地址:使用ip link或者ifconfig -a
检查product_uuid:cat /sys/class/dmi/id/product_uuid
禁止swap分区。这样才能使kubelet正常工作
1.1系统配置
主机名与IP对应关系:
[root@k8s-master ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.44.157 k8s-m1
192.168.44.159 k8s-n1
192.168.44.160 k8s-n2
设置sources-list的源
先确认系统
lsb_release -cs
xenial
sudo vi /etc/apt/sources.list
加入
deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu xenial stable
sudo apt-get update
如果各个主机启用了防火墙,需要开放Kubernetes各个组件所需要的端口,可以查看Installing kubeadm中的”Check required ports”一节。 这里简单起见在各节点禁用防火墙:
systemctl stop firewalld
systemctl disable firewalld
禁用SELINUX:
sed -i 's/enforcing/disabled/' /etc/selinux/config <br/>setenforce 0
或
vi /etc/selinux/config
SELINUX=disabled
关闭swap:
swapoff -a # 临时
vim /etc/fstab # 永久,注释掉含有swap的行
同步时间:
sudo apt-get install ntpdate -y
sudo ntpdate ntp.api.bz
创建/etc/sysctl.d/k8s.conf文件,添加如下内容:
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
执行命令使修改生效:
modprobe br_netfilter
sysctl -p /etc/sysctl.d/k8s.conf
3 , 安装指定版本docker
3.2 安装以下包以使apt可以通过HTTPS使用存储库(repository):
sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common
3.3 添加Docker官方的GPG密钥:
curl -s https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | sudo apt-key add -
3.4 设置数据源,使用下面的命令来设置stable存储库:
sudo add-apt-repository \
"deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu xenial stable"
3.5 再更新一下apt包索引:
sudo apt-get update
3.6 查看可安装的版本
apt-cache madison docker-ce
3.7 安装最新版本或指定版本的Docker CE:
sudo apt-get install docker-ce=版本号 如(5:18.09.7~3-0~ubuntu.xenial)
4、修改docker Cgroup driver
根据文档CRI installation中的内容,对于使用systemd作为init system的Linux的发行版,使用systemd作为docker的cgroup driver可以确保服务器节点在资源紧张的情况更加稳定,因此这里修改各个节点上docker的cgroup driver为systemd。
创建或修改/etc/docker/daemon.json:
sudo vim /etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"]
}
重启docker:
systemctl restart docker
验证修改是否成功:
docker info | grep Cgroup
Cgroup Driver: systemd
5、 安装kubeadm等 (所有机器上操作)
安装中缺少socat和conntract参考另一篇附加操作。
sudo apt-get install -y kubelet=1.16.4-00 kubeadm=1.16.4-00 kubectl=1.16.4-00
sudo apt-mark holdkubelet=1.16.4-00 kubeadm=1.16.4-00 kubectl=1.16.4-00
如果缺cri-tools,kubernetes-cni,需先安装。
6、 安装kubernetes集群(仅master)
1,初始化master节点
sudo kubeadm init --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.16.4 --pod-network-cidr=192.169.0.0/16 | tee /etc/kube-server-key
参数解释:
--image-repository 指定镜像源,指定为阿里云的源,这样就会避免在拉取镜像超时,如果没问题,过几分钟就能看到成功的日志输入
--kubernetes-version 指定版本
--pod-network-cidr 指定pod网络地址。设置为内网网段!
三大内网网络为:
C类:192.168.0.0-192.168.255.255
B类:172.16.0.0-172.31.255.255
A类:10.0.0.0-10.255.255.255
安装日志:
ubuntu@k8s-m1:~$ sudo kubeadm init --image-repository registry.aliyuncs.com/google_containers --kubernetes-version v1.16.4 --pod-network-cidr=192.169.0.0/16 | tee /etc/kube-server-key
tee: /etc/kube-server-key: Permission denied
[sudo] password for ubuntu:
[init] Using Kubernetes version: v1.16.4
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Activating the kubelet service
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [k8s-m1 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.44.160]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [k8s-m1 localhost] and IPs [192.168.44.160 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [k8s-m1 localhost] and IPs [192.168.44.160 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 39.006006 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.16" in namespace kube-system with the configuration for the kubelets in the cluster
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node k8s-m1 as control-plane by adding the label "node-role.kubernetes.io/master=''"
[mark-control-plane] Marking the node k8s-m1 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[kubelet-check] Initial timeout of 40s passed.
[bootstrap-token] Using token: nvlhtj.bpf7pppsaq26x9o4
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
sudo kubeadm join 192.168.44.160:6443 --token xyha95.aqxis83sm26ovyph \
--discovery-token-ca-cert-hash sha256:ded354059ae198d75f56b27a85804f3d7a0a101deb456d239ab6bd4b13e3c4e3
kubeadm join命令中,可加--skip-preflight-checks 跳过检查(可选)
如果token过期,用kubeadm token create重新生成。并重新生成秘钥
kubectl token create
kubectl token list
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
或者查看节点命令:
cat /etc/kube-server-key | tail -2
拷贝kubeconfig文件到家目录的.kube目录 (仅master)
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
2,安装网络插件,让pod之间通信(仅master)
使用最新版的
kubectl apply -f https://docs.projectcalico.org/v3.8/manifests/calico.yaml
3,查看kube-system命名空间下的pod状态(仅master)
kubectl get pod -n kube-system
7 安装监控
Heapster镜像:
进入heapster-0.19.0//deploy/docker,使用build.sh进行镜像制作。 该脚本会依赖go环境进行heapster源码编译,所以需要提前安装go环境(go和godep的安装)。
InfluxDB和Grafana镜像:
这两个镜像的Dockerfile分别在根目录下的对应文件中,只需查看Makefile进行对应的命令编译制作镜像即可。Dockerfile会依赖一些基础镜像,最好提前下载好。
容器的运行
Heapster容器的运行可以依赖Kubernetes进行部署,也可以单独使用docker命令进行部署。
Kubernetes部署:
直接依赖heapster-0.19.0/deploy/kube-config/influxdb/目录下的yaml文件,
使用kubectl create -f heapster-0.19.0/deploy/kube-config/influxdb/命令进行部署。
我们没有采用该方式,是考虑到如果K8S和监控系统相互依赖,会导致K8S异常之后,存在监控系统无法使用的隐患。
但是直接使用单独的容器进行部署,也需要考虑到监控容器异常退出了,谁来维护重启?
需要进行权衡?
还需要注意一点:Heapster会使用内存进行数据缓存,容易撑爆内存,导致容器OOM
Docker命令部署:
使用docker命令进行部署的话,需要传入各种参数,该参数可以参考kubernetes部署使用到的yaml文件。
具体命令如下:
InfluxDB:
docker run -p 8083:8083 -p 8086:8086 --net=host -v /data heapster_influxdb:canary
注:data是数据存储目录,需要考虑数据可持久化,并且能保证容器重启不影响数据。
Grafana:
INFLUXDB_SERVICE_URL=http://<influxdb-ip>:8086 \
-e GF_AUTH_BASIC_ENABLED="false" \
-e GF_AUTH_ANONYMOUS_ENABLED="true" \
-e GF_AUTH_ANONYMOUS_ORG_ROLE="Admin" \
-e GF_SERVER_ROOT_URL=/ -v /var
heapster_grafana:canary```
Heapster:
```docker run -it -p 8082:8082 --net=host heapster:canary \
--source=kubernetes:http://<k8s-server-ip>:8080? inClusterConfig=false\&useServiceAccount=false \
--sink=influxdb:http://<influxdb-ip>:8086```
Heapster命令参考相对较为重要,可以参考[官方文档](https://github.com/kubernetes/heapster/tree/master/docs),具体如下:
**–source**: 指定数据获取源。这里我们指定kube-apiserver即可。
后缀参数:
inClusterConfig:
kubeletPort: 指定kubelet的使用端口,默认10255
kubeletHttps: 是否使用https去连接kubelets(默认:false)
apiVersion: 指定K8S的apiversion
insecure: 是否使用安全证书(默认:false)
auth: 安全认证
useServiceAccount: 是否使用K8S的安全令牌
**–sink**: 指定后端数据存储。这里指定influxdb数据库。
后缀参数:
user: InfluxDB用户
pw: InfluxDB密码
db: 数据库名
secure: 安全连接到InfluxDB(默认:false)
withfields: 使用InfluxDB fields(默认:false)。可以参考[Here](https://docs.influxdata.com/influxdb/v0.9/concepts/key_concepts/)
