基于Ubuntu16.04和kubeadm部署kuernetes-低调大师

基于Ubuntu16.04和kubeadm部署kuernetes

2018-11-24 651

1.部署环境：

2台虚拟机，Ubuntu16.04系统。设定A虚拟机的IP 为A-IP，B虚拟机的IP为B-IP，并A虚拟机作为master。

2. A、B两台虚拟机都需要做的部署操作：

建议以root用户执行下列操作。

a. 跟新系统apt包：

     apt-get update -y

     apt-get upgrade -y

b. 关闭开启Swap的设备，kubernetes是建议关闭的：

     Swapoff -a

上述命令，可以临时关闭，机器重启之后需要重新设置。

具体的swap扩展信息，可参考http://www.runoob.com/linux/linux-comm-swapoff.html

c. 安装Docker，kubernetes需要机遇Docker环境运行：

     apt-get install apt-transport-https -y

     curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -

     apt-get install docker.io -y

查看docker版本及启动docker service:

docker version

######
Client:
 Version:      17.03.2-ce
 API version:  1.27
 Go version:   go1.6.2
 Git commit:   f5ec1e2
 Built:        Thu Jul  5 23:07:48 2018
 OS/Arch:      linux/amd64

Server:
 Version:      17.03.2-ce
 API version:  1.27 (minimum version 1.12)
 Go version:   go1.6.2
 Git commit:   f5ec1e2
 Built:        Thu Jul  5 23:07:48 2018
 OS/Arch:      linux/amd64
 Experimental: false
######

systemctl enable docker

systemctl start docker

systemctl status docker

######
docker.service - Docker Application Container Engine
   Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2018-11-24 06:58:36 EST; 3min 57s ago
     Docs: https://docs.docker.com
 Main PID: 14473 (dockerd)
   CGroup: /system.slice/docker.service
           ├─14473 /usr/bin/dockerd -H fd://
           └─14483 docker-containerd -l unix:///var/r.............
######

如果docker service的状态为active(running)，则说明docker 安装并启动成功。

d. 安装kubernetes：

sudo curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -

echo 'deb http://apt.kubernetes.io/ kubernetes-xenial main' | sudo tee /etc/apt/sources.list.d/kubernetes.list

apt-get update

apt-get install -y kubelet kubeadm kubectl kubernetes-cni

3. 配置master节点：

sudo kubeadm init --pod-network-cidr 10.244.0.0/16

--pod-network-cidr是指配置节点中的pod的可用IP地址，此为内部IP

初始化kubeadm成功之后，会输出如下信息：

Your Kubernetes master has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of machines by running the following on each node
as root:

  kubeadm join A-IP:6443 --token y89hw4.jahkc29856dc6pi6 --discovery-token-ca-cert-hash sha256:3cddcf79c0d2ffa338167589080976876978f3ede9a2014f5aa4f5104a

执行如下命令，配置master网络：

sudo kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

sudo kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-manifests/kube-flannel-rbac.yml

在其他node，执行如下命令，可将node加入到master。该命令中的参数来自于上一个输出信息：

kubeadm join A-IP:6443 --token y89hw4.jahkc29856dc6pi6 --discovery-token-ca-cert-hash sha256:3cddcf79c0d2ffa338167589080976876978f3ede9a2014f5aa4f5104a

执行如下命令去配置kubectl:

mkdir -p $HOME/.kube

cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

chown $(id -u):$(id -g) $HOME/.kube/config

至此，执行如下命令即可获取到node的相关信息：

kubectl get nodes

NAME                STATUS     ROLES     AGE       VERSION
kubernetes-master   NotReady   master    14m       v1.12.2

4. 添加其他节点(node)到master:

kubeadm join A-IP:6443 --token y89hw4.jahkc29856dc6pi6 --discovery-token-ca-cert-hash sha256:3cddcf79c0d2ffa338167589080976876978f3ede9a2014f5aa4f5104a

######
[discovery] Trying to connect to API Server "A-IP:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://B-IP:6443"
[discovery] Requesting info from "https://B-IP:6443" again to validate TLS against the pinned public key
[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "B-IP:6443"
[discovery] Successfully established connection with API Server "A-IP:6443"
This node has joined the cluster:
* Certificate signing request was sent to master and a response
  was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the master to see this node join the cluster.
######

在master节点执行 kubectl get nodes，可以检查是否成功加入。

5. 配置kubernetes-dashboard:

本次测试是安装kubernetes-dashboard，并使得能够远程访问。

执行如下信息，安装kubernetes-dashboard：

apiVersion: v1
kind: List
items:
- apiVersion: v1
  kind: Secret
  metadata:
    labels:
      k8s-app: kubernetes-dashboard
    name: kubernetes-dashboard-certs
    namespace: kube-system
  type: Opaque
- apiVersion: v1
  kind: ServiceAccount
  metadata:
    labels:
      k8s-app: kubernetes-dashboard
    name: kubernetes-dashboard
    namespace: kube-system
- kind: ClusterRole
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: kubernetes-dashboard-minimal
    namespace: kube-system
  rules:
    # Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["create"]
    # Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["create"]
    # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics from heapster.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
    verbs: ["get"]
- apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: kubernetes-dashboard-minimal
    namespace: kube-system
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: kubernetes-dashboard-minimal
  subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kube-system
- kind: Deployment
  apiVersion: apps/v1beta2
  metadata:
    labels:
      k8s-app: kubernetes-dashboard
    name: kubernetes-dashboard
    namespace: kube-system
  spec:
    replicas: 1
    revisionHistoryLimit: 10
    selector:
      matchLabels:
        k8s-app: kubernetes-dashboard
    template:
      metadata:
        labels:
          k8s-app: kubernetes-dashboard
      spec:
        containers:
        - name: kubernetes-dashboard
          image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0
          ports:
          - containerPort: 8443
            protocol: TCP
          args:
            - --auto-generate-certificates
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
          - name: kubernetes-dashboard-certs
            mountPath: /certs
            # Create on-disk volume to store exec logs
          - mountPath: /tmp
            name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
        volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
        serviceAccountName: kubernetes-dashboard
        # Comment the following tolerations if Dashboard must not be deployed on master
        tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
- kind: Service
  apiVersion: v1
  metadata:
    labels:
      k8s-app: kubernetes-dashboard
    name: kubernetes-dashboard
    namespace: kube-system
  spec:
    type: NodePort
    ports:
    - port: 443
      targetPort: 8443
      nodePort: 30000
    selector:
      k8s-app: kubernetes-dashboard

上述配置文件，service中开启nodeport，以便于远程能够直接访问。

文件执行完成后，可以通过https://A-IP:30000 来访问。

在kubernetes 1.7之后建议使用token去登录：

执行如下命令获取token：

kubectl -n kube-system get secret

#######
attachdetach-controller-token-pqtcp              kubernetes.io/service-account-token   3      3h18m
bootstrap-signer-token-qnx4s                     kubernetes.io/service-account-token   3      3h18m
bootstrap-token-y89hw4                           bootstrap.kubernetes.io/token         7      3h18m
certificate-controller-token-r6wl6               kubernetes.io/service-account-token   3      3h18m
clusterrole-aggregation-controller-token-6mrrv   kubernetes.io/service-account-token   3      3h18m
coredns-token-f4nfd                              kubernetes.io/service-account-token   3      3h18m
cronjob-controller-token-thn79                   kubernetes.io/service-account-token   3      3h18m
daemon-set-controller-token-mwszv                kubernetes.io/service-account-token   3      3h18m
default-token-xbxx9                              kubernetes.io/service-account-token   3      3h18m
deployment-controller-token-dkj7n                kubernetes.io/service-account-token   3      3h18m
disruption-controller-token-nnq57                kubernetes.io/service-account-token   3      3h18m
endpoint-controller-token-6l95q                  kubernetes.io/service-account-token   3      3h18m
expand-controller-token-qxb7h                    kubernetes.io/service-account-token   3      3h18m
flannel-token-ttkmd                              kubernetes.io/service-account-token   3      3h2m
generic-garbage-collector-token-bjndg            kubernetes.io/service-account-token   3      3h18m
horizontal-pod-autoscaler-token-kpds7            kubernetes.io/service-account-token   3      3h18m
job-controller-token-9hh7b                       kubernetes.io/service-account-token   3      3h18m
kube-proxy-token-wdv62                           kubernetes.io/service-account-token   3      3h18m
kubernetes-dashboard-certs                       Opaque                                0      171m
kubernetes-dashboard-key-holder                  Opaque                                2      171m
kubernetes-dashboard-token-m97pg                 kubernetes.io/service-account-token   3      171m
namespace-controller-token-cqmtt                 kubernetes.io/service-account-token   3      3h18m
node-controller-token-nx6cv                      kubernetes.io/service-account-token   3      3h18m
persistent-volume-binder-token-55gtw             kubernetes.io/service-account-token   3      3h18m
pod-garbage-collector-token-d26sh                kubernetes.io/service-account-token   3      3h18m
pv-protection-controller-token-dj6mt             kubernetes.io/service-account-token   3      3h18m
pvc-protection-controller-token-98wbx            kubernetes.io/service-account-token   3      3h18m
replicaset-controller-token-kfnq4                kubernetes.io/service-account-token   3      3h18m
replication-controller-token-wqpph               kubernetes.io/service-account-token   3      3h18m
resourcequota-controller-token-rzwsc             kubernetes.io/service-account-token   3      3h18m
service-account-controller-token-kmsfr           kubernetes.io/service-account-token   3      3h18m
service-controller-token-k9ps4                   kubernetes.io/service-account-token   3      3h18m
statefulset-controller-token-j4t45               kubernetes.io/service-account-token   3      3h18m
token-cleaner-token-qcbnj                        kubernetes.io/service-account-token   3      3h18m
ttl-controller-token-l9bqk                       kubernetes.io/service-account-token   3      3h18m
#######

kubectl -n kube-system describe secret clusterrole-aggregation-controller-token-6mrrv

#######
Name:         clusterrole-aggregation-controller-token-6fzrv
Namespace:    kube-system
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: clusterrole-aggregation-controller
              kubernetes.io/service-account.uid: e132b88c-efe2-11e8-b652-005056a0b094

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  11 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjbHVzdGVycm9sZS1hZ2dyZWdhdGlvbi1jb250cm9sbGVyLXRva2VuLTZmenJ2Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImNsdXN0ZXJyb2xlLsdnfksdnfksdnfkjfieekjfskdjfsdxsZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJlMTMyYjg4Yy1lZmUyLTExZTgtYjY1Mi0wMDUwNTZhMGIwOTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06Y2x1c3RlcnJvbGUtYWdncmVnYXRpb24tY29udHJvbGxlciJ9.cLhchbNMkyPTLVqk0MuWP6_7yC1zjJ_MW3R0Tv_uyEtFuYNGcYXKVwXilO2TtMzp5aeqcHq1D-tT21_a0RzJZzd4OktIANed1Ix5PRAHVRX8o7O2jK2Dj9_neqZOogPblKz7jR6g82DQf8R_Vphq4MP3CetEeUIUxbY897r1xKpb7oizZg_ca-Ai7qnQgeCw6ii7O2s1UA8ugYldaXwv7lUKze3bCCSFX9o8dUlvy8WtgF3wVvb7WW3mId1t4nGg9oXlzxhSG9z5z-BtvWNXIp1dVhrFNQgEY9hiipxgpoagLw45FxaOvtfbWd7Mhlrxotf3iED60P6e7FbS4Z_Dgw
#######

其中clusterrole-aggregation-controller-token-6mrrv所在的pod中存在kubernetes-dashboard登录所需的token。

微信关注我们

原文链接：https://yq.aliyun.com/articles/672970

转载内容版权归作者及来源网站所有！

低调大师中文资讯倾力打造互联网数据资讯、行业资源、电子商务、移动互联网、网络营销平台。持续更新报道IT业界、互联网、市场资讯、驱动更新,是最及时权威的产业资讯及硬件资讯报道平台。

Docker容器生产实践1——永远设置容器内存限制

背景在默认情况下，docker容器并不会对容器内部进程使用的内存大小进行任何限制。对于PaaS系统而言，或者对于直接使用docker的用户而言，这非常危险。如果哪个业务容器，出现了内存泄漏；那么它可能会危害到整个主机系统，导致业务app容器所在的主机出现oom。本文将介绍着眼于docker对内存资源的使用，解释背后的原理。同时也给出k8s上如何配置内存限制的方法。 docker run、create时刻对容器使用内存大小进行限制 -m硬限制容器使用的内存通过下面参数可以为容器设置一个内存使用量硬大小，当超出这个大小时刻，linux系统会根据配置设置决定是否进入oom-killer状态。docker run --name zxy-docker -m 1g -it busybox bash 单位为：b，k，m和g 如果设置了-m参数，通常情况下如果容器使用内存量超过了设置的硬水线，那么linux的oom-killer触发，它将根据oom-score对容器内部进程进行oom kill。但是不影响宿主机上其他进程。 --oom-kill-disable 这个参数设置一定需要在容器run或者...

2018-11-24

708

开发者论坛每周选取精华内容总结，精选论坛优质贴，每周更新一期，方便大家阅读！请问云台的物联网应用里，如何实现平台一发多收的功能。阿狸大张伟摘要：如题，想将产品A下的设备1，发送给产品B下的设备2，这样子是否可行；如果不可行，那将产品A下的设备1，发送给产品A下的设备2，这样子又是否可行？请教各位大佬们指点指点解答>>https://bbs.aliyun.com/read/591256.html 求这样买香港服务器可以吗？我有个企业网站，首页有20多m的视频 ty阿哥摘要：我有个企业网站，首页有20多m的视频，客户不想备案，但是要求首页完全打开访问在10s内，客户在深圳。so，只能买香港服务器。大家觉得能满足条件吗，能满足要求，最便宜的配置是？方案>>https://bbs.aliyun.com/read/591164.html 把项目部署到阿里云linux上，无法读取mysql的数据。 virtualoid摘要：我本地可以用 mysql-front 连接到阿里云ECS 的linux ubuntu的3306端口，服务器上也可以用mysql -uroot ...

2018-11-25

584

资源下载

更多资源

优质分享App

近一个月的开发和优化，本站点的第一个app全新上线。该app采用极致压缩，本体才4.36MB。系统里面做了大量数据访问、缓存优化。方便用户在手机上查看文章。后续会推出HarmonyOS的适配版本。

Mario

马里奥是站在游戏界顶峰的超人气多面角色。马里奥靠吃蘑菇成长，特征是大鼻子、头戴帽子、身穿背带裤，还留着胡子。与他的双胞胎兄弟路易基一起，长年担任任天堂的招牌角色。

腾讯云软件源

为解决软件依赖安装时官方源访问速度慢的问题，腾讯云为一些软件搭建了缓存服务。您可以通过使用腾讯云软件源站来提升依赖包的安装速度。为了方便用户自由搭建服务架构，目前腾讯云软件源站支持公网访问和内网访问。

Nacos

Nacos /nɑ:kəʊs/ 是 Dynamic Naming and Configuration Service 的首字母简称，一个易于构建 AI Agent 应用的动态服务发现、配置管理和AI智能体管理平台。Nacos 致力于帮助您发现、配置和管理微服务及AI智能体应用。Nacos 提供了一组简单易用的特性集，帮助您快速实现动态服务发现、服务配置、服务元数据、流量管理。Nacos 帮助您更敏捷和容易地构建、交付和管理微服务平台。