[关闭]
@zhangyy 2021-07-07T15:05:56.000000Z 字数 22585 阅读 306

kubernetes 1.18.3 版本 二进制部署

kubernetes系列


一: 系统环境介绍
二: 部署Etcd集群
三: 安装docker
四: 部署k8s Master Node
五: 部署k8s Worker Node
六: 部署Dashboard和CoreDNS


一: 系统环境介绍

1.1 环境准备

  1. 在开始之前,部署Kubernetes集群机器需要满足以下几个条件:
  2. 操作系统: CentOS7.8-86_x64
  3. 硬件配置:2GB或更多RAM2CPU或更多CPU,硬盘30GB或更多集群中所有机器之间网络互通
  4. 可以访问外网,需要拉取镜像,如果服务器不能上网,需要提前下载镜像并导入节点
  5. 禁止swap分区

1.2 软件环境:

  1. 操作系统: CentOS7.8_x64 mini
  2. Docker: 19-ce
  3. Kubernetes: 1.18.3

1.3 环境规划

  1. 服务器整体规划:

image_1eapi402ighj1c4e2d8hm31f3h9.png-108.4kB

1.4 单Master架构图:

image_1ett5i3dnqnjbg1poang7144h9.png-1450.4kB

1.5 单Master服务器规划:

image_1e9t7tee516e18pd1col92o1nok20.png-69.6kB

1.6 操作系统初始化配置

  1. # 关闭防火墙
  2. systemctl stop firewalld
  3. systemctl disable firewalld
  4. # 关闭selinux
  5. sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久
  6. setenforce 0 # 临时
  7. # 关闭swap
  8. swapoff -a # 临时
  9. sed -ri 's/.*swap.*/#&/' /etc/fstab # 永久
  10. # 根据规划设置主机名
  11. hostnamectl set-hostname <hostname>
  12. # 在master添加hosts
  13. cat >> /etc/hosts << EOF
  14. 192.168.100.11 node01.flyfish
  15. 192.168.100.12 node02.flyfish
  16. 192.168.100.13 node03.flyfish
  17. EOF
  18. # 将桥接的IPv4流量传递到iptables的链
  19. cat > /etc/sysctl.d/k8s.conf << EOF
  20. net.bridge.bridge-nf-call-ip6tables = 1
  21. net.bridge.bridge-nf-call-iptables = 1
  22. EOF
  23. sysctl --system # 生效
  24. # 时间同步
  25. yum install chronyd
  26. server ntp1.aliyun.com

二、部署Etcd集群

2.1 ETCD 集群的概念

  1. Etcd 是一个分布式键值存储系统,Kubernetes使用Etcd进行数据存储,所以先准备一个Etcd数据库,为解决Etcd单点故障,应采用集群方式部署,这里使用3台组建集群,可容忍1台机器故障,当然,你也可以使用5台组建集群,可容忍2台机器故障

image_1eanr5rv217iet32g0n1sv62739.png-23.5kB

  1. 注:为了节省机器,这里与K8s节点机器复用。也可以独立于k8s集群之外部署,只要apiserver能连接到就行。

2.2准备cfssl证书生成工具

  1. cfssl是一个开源的证书管理工具,使用json文件生成证书,相比openssl更方便使用。
  2. 找任意一台服务器操作,这里用Master节点。
  3. ---
  4. wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
  5. wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
  6. wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
  7. chmod +x cfssl_linux-amd64 cfssljson_linux-amd64 cfssl-certinfo_linux-amd64
  8. mv cfssl_linux-amd64 /usr/bin/cfssl
  9. mv cfssljson_linux-amd64 /usr/bin/cfssljson
  10. mv cfssl-certinfo_linux-amd64 /usr/bin/cfssl-certinfo
  11. ---

image_1e9t8n0g71ge0b6glle1non11172q.png-157.4kB

2.3 生成Etcd证书

  1. 1. 自签证书颁发机构(CA
  2. 创建工作目录:
  3. mkdir -p ~/TLS/{etcd,k8s}
  4. cd TLS/etcd

image_1e9t8qmhe1kfooa24101i411e2b37.png-138.9kB

  1. 自签CA
  2. cat > ca-config.json << EOF
  3. {
  4. "signing": {
  5. "default": {
  6. "expiry": "87600h"
  7. },
  8. "profiles": {
  9. "www": {
  10. "expiry": "87600h",
  11. "usages": [
  12. "signing",
  13. "key encipherment",
  14. "server auth",
  15. "client auth"
  16. ]
  17. }
  18. }
  19. }
  20. }
  21. EOF
  22. cat > ca-csr.json << EOF
  23. {
  24. "CN": "etcd CA",
  25. "key": {
  26. "algo": "rsa",
  27. "size": 2048
  28. },
  29. "names": [
  30. {
  31. "C": "CN",
  32. "L": "Beijing",
  33. "ST": "Beijing"
  34. }
  35. ]
  36. }
  37. EOF
  38. 生成证书
  39. cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
  40. ls *pem
  41. ca-key.pem ca.pem

image_1e9t8ugdm3c619prhs01po11ok63k.png-96.1kB

image_1e9t8v4hf171c1bkfhj99p41f6m41.png-153.4kB


  1. 2. 使用自签CA签发Etcd HTTPS证书
  2. 创建证书申请文件:
  3. cat > server-csr.json << EOF
  4. {
  5. "CN": "etcd",
  6. "hosts": [
  7. "192.168.100.11",
  8. "192.168.100.12",
  9. "192.168.100.13",
  10. "192.168.100.14",
  11. "192.168.100.15",
  12. "192.168.100.16",
  13. "192.168.100.17",
  14. "192.168.100.100"
  15. ],
  16. "key": {
  17. "algo": "rsa",
  18. "size": 2048
  19. },
  20. "names": [
  21. {
  22. "C": "CN",
  23. "L": "BeiJing",
  24. "ST": "BeiJing"
  25. }
  26. ]
  27. }
  28. EOF
  29. 生成证书:
  30. cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=www server-csr.json | cfssljson -bare server
  31. ls server*pem
  32. server-key.pem server.pem

image_1e9t98ds28n51vsb7u11c9s16444r.png-108.9kB

image_1e9t9754n145t1tcce371aef1pn34e.png-218.4kB

2.4 从Github下载二进制文件

  1. 下载地址:https://github.com/etcd-io/etcd/releases/download/v3.4.9/etcd-v3.4.9-linux-amd64.tar.gz
  2. 以下在节点1上操作,为简化操作,待会将节点1生成的所有文件拷贝到节点2和节点3.
  3. 1. 创建工作目录并解压二进制包
  4. mkdir /opt/etcd/{bin,cfg,ssl} -p
  5. tar zxvf etcd-v3.4.9-linux-amd64.tar.gz
  6. mv etcd-v3.4.9-linux-amd64/{etcd,etcdctl} /opt/etcd/bin/

image_1e9t9j2j31ud51e2flodrlpgbh58.png-126.9kB

image_1e9t9jhkg12763b61irt1puj11l45l.png-125.4kB

2.5 创建etcd配置文件

  1. cat > /opt/etcd/cfg/etcd.conf << EOF
  2. #[Member]
  3. ETCD_NAME="etcd-1"
  4. ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
  5. ETCD_LISTEN_PEER_URLS="https://192.168.100.11:2380"
  6. ETCD_LISTEN_CLIENT_URLS="https://192.168.100.11:2379"
  7. #[Clustering]
  8. ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.11:2380"
  9. ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.11:2379"
  10. ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.100.11:2380,etcd-2=https://192.168.100.12:2380,etcd-3=https://192.168.100.13:2380"
  11. ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
  12. ETCD_INITIAL_CLUSTER_STATE="new"
  13. EOF
  14. ---
  15. ETCD_NAME:节点名称,集群中唯一
  16. ETCD_DATA_DIR:数据目录
  17. ETCD_LISTEN_PEER_URLS:集群通信监听地址
  18. ETCD_LISTEN_CLIENT_URLS:客户端访问监听地址
  19. ETCD_INITIAL_ADVERTISE_PEER_URLS:集群通告地址
  20. ETCD_ADVERTISE_CLIENT_URLS:客户端通告地址
  21. ETCD_INITIAL_CLUSTER:集群节点地址
  22. ETCD_INITIAL_CLUSTER_TOKEN:集群Token
  23. ETCD_INITIAL_CLUSTER_STATE:加入集群的当前状态,new是新集群,existing表示加入已有集群

image_1e9t9obm31k62gjl1hdk110e1i3862.png-148.4kB

2.6. systemd管理etcd

  1. cat > /usr/lib/systemd/system/etcd.service << EOF
  2. [Unit]
  3. Description=Etcd Server
  4. After=network.target
  5. After=network-online.target
  6. Wants=network-online.target
  7. [Service]
  8. Type=notify
  9. EnvironmentFile=/opt/etcd/cfg/etcd.conf
  10. ExecStart=/opt/etcd/bin/etcd \
  11. --cert-file=/opt/etcd/ssl/server.pem \
  12. --key-file=/opt/etcd/ssl/server-key.pem \
  13. --peer-cert-file=/opt/etcd/ssl/server.pem \
  14. --peer-key-file=/opt/etcd/ssl/server-key.pem \
  15. --trusted-ca-file=/opt/etcd/ssl/ca.pem \
  16. --peer-trusted-ca-file=/opt/etcd/ssl/ca.pem \
  17. --logger=zap
  18. Restart=on-failure
  19. LimitNOFILE=65536
  20. [Install]
  21. WantedBy=multi-user.target
  22. EOF

image_1e9t9r2rhlur4hf1giufb41rjg6f.png-127.5kB

  1. 4. 拷贝刚才生成的证书
  2. 把刚才生成的证书拷贝到配置文件中的路径:
  3. cp ~/TLS/etcd/ca*pem ~/TLS/etcd/server*pem /opt/etcd/ssl/

image_1e9t9sa2o1khf1710lg1pb1su56s.png-71.3kB

  1. 5. 启动并设置开机启动
  2. systemctl daemon-reload
  3. systemctl start etcd
  4. systemctl enable etcd

  1. scp -r /opt/etcd/ root@192.168.100.12:/opt/
  2. scp /usr/lib/systemd/system/etcd.service root@192.168.100.12:/usr/lib/systemd/system/
  3. scp -r /opt/etcd/ root@192.168.100.13:/opt/
  4. scp /usr/lib/systemd/system/etcd.service root@192.168.100.13:/usr/lib/systemd/system/

image_1e9ta1f1bp69i9j1i0h1tuu1cmr79.png-123.9kB

  1. 然后在节点2和节点3分别修改etcd.conf配置文件中的节点名称和当前服务器IP
  2. vi /opt/etcd/cfg/etcd.conf
  3. #[Member]
  4. ETCD_NAME="etcd-1" # 修改此处,节点2改为etcd-2,节点3改为etcd-3
  5. ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
  6. ETCD_LISTEN_PEER_URLS="https://192.168.100.11:2380" # 修改此处为当前服务器IP
  7. ETCD_LISTEN_CLIENT_URLS="https://192.168.100.11:2379" # 修改此处为当前服务器IP
  8. #[Clustering]
  9. ETCD_INITIAL_ADVERTISE_PEER_URLS="https://192.168.100.11:2380" # 修改此处为当前服务器IP
  10. ETCD_ADVERTISE_CLIENT_URLS="https://192.168.100.11:2379" # 修改此处为当前服务器IP
  11. ETCD_INITIAL_CLUSTER="etcd-1=https://192.168.100.11:2380,etcd-2=https://192.168.100.12:2380,etcd-3=https://192.168.100.13:2380"
  12. ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster"
  13. ETCD_INITIAL_CLUSTER_STATE="new"

  1. 最后启动etcd并设置开机启动,同上。

image_1e9tab2l62qj1ee61uhg6h91e3i7m.png-46.9kB

image_1e9tabfme1tli39n1us0mog1hgg83.png-51kB

image_1e9tabs4m1cdbu431ipabt11d8i8g.png-47kB

  1. ETCDCTL_API=3 /opt/etcd/bin/etcdctl --cacert=/opt/etcd/ssl/ca.pem --cert=/opt/etcd/ssl/server.pem --key=/opt/etcd/ssl/server-key.pem --endpoints="https://192.168.100.11:2379,https://192.168.100.12:2379,https://192.168.100.13:2379" endpoint health

image_1e9taf036iog1tcdqtakqlua8t.png-89kB

image_1e9tagcngfdmuh51amv1jeqfle9a.png-76.2kB

image_1e9tah2pungn1jajivpef91b859n.png-66.9kB

  1. 如果输出上面信息,就说明集群部署成功。如果有问题第一步先看日志:/var/log/message journalctl -u etcd

三、安装Docker

  1. 下载地址:https://download.docker.com/linux/static/stable/x86_64/docker-19.03.9.tgz
  2. 以下在所有节点操作。这里采用二进制安装,用yum安装也一样。
  3. node01.flyfish,node02.flyfish node03.flyfish 节点上面安装

  1. 3.1 解压二进制包
  2. tar zxvf docker-19.03.9.tgz
  3. mv docker/* /usr/bin

image_1e9tar8bv1f5vllurch1khabkua4.png-58kB

image_1e9tarreu1dtn11kbiljbve1g6gah.png-68.1kB

  1. 3.2 systemd管理docker
  2. cat > /usr/lib/systemd/system/docker.service << EOF
  3. [Unit]
  4. Description=Docker Application Container Engine
  5. Documentation=https://docs.docker.com
  6. After=network-online.target firewalld.service
  7. Wants=network-online.target
  8. [Service]
  9. Type=notify
  10. ExecStart=/usr/bin/dockerd
  11. ExecReload=/bin/kill -s HUP $MAINPID
  12. LimitNOFILE=infinity
  13. LimitNPROC=infinity
  14. LimitCORE=infinity
  15. TimeoutStartSec=0
  16. Delegate=yes
  17. KillMode=process
  18. Restart=on-failure
  19. StartLimitBurst=3
  20. StartLimitInterval=60s
  21. [Install]
  22. WantedBy=multi-user.target
  23. EOF

image_1e9tato60cv147d8gsl5f1381b1.png-119.8kB

image_1e9tau58ouerjf31aof1tic4h5be.png-120.8kB

  1. 3.3 创建配置文件
  2. mkdir /etc/docker
  3. cat > /etc/docker/daemon.json << EOF
  4. {
  5. "registry-mirrors": ["https://b9pmyelo.mirror.aliyuncs.com"]
  6. }
  7. EOF
  8. registry-mirrors 阿里云镜像加速器

image_1e9tb08ma111t1fa4lg758j17i2c8.png-45.5kB

image_1e9tavn4m11mrn0nhra1h71u61br.png-40.5kB

  1. 3.4 启动并设置开机启动
  2. systemctl daemon-reload
  3. systemctl start docker
  4. systemctl enable docker

image_1eapj713q1iuu1faqtpg12ln2uqm.png-158.7kB

image_1e9tb28hqcul1a5f1af21uc3vbjcl.png-95.2kB

image_1e9tb2m0n1qdk1nu1dbf160c1johd2.png-115.2kB


四、部署Master Node

  1. 4.1 生成kube-apiserver证书
  2. 1. 自签证书颁发机构(CA
  3. cd /root/TLS/k8s/
  4. ---
  5. cat > ca-config.json << EOF
  6. {
  7. "signing": {
  8. "default": {
  9. "expiry": "87600h"
  10. },
  11. "profiles": {
  12. "kubernetes": {
  13. "expiry": "87600h",
  14. "usages": [
  15. "signing",
  16. "key encipherment",
  17. "server auth",
  18. "client auth"
  19. ]
  20. }
  21. }
  22. }
  23. }
  24. EOF
  25. cat > ca-csr.json << EOF
  26. {
  27. "CN": "kubernetes",
  28. "key": {
  29. "algo": "rsa",
  30. "size": 2048
  31. },
  32. "names": [
  33. {
  34. "C": "CN",
  35. "L": "Beijing",
  36. "ST": "Beijing",
  37. "O": "k8s",
  38. "OU": "System"
  39. }
  40. ]
  41. }
  42. EOF
  43. 生成证书:
  44. cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
  45. ls *pem
  46. ca-key.pem ca.pem
  47. ---

image_1e9tb99a9lef1o041du11u4e6fvdf.png-118.7kB

image_1e9tb9sb51t646kb1b8g2kq81mds.png-153kB

  1. 2. 使用自签CA签发kube-apiserver HTTPS证书
  2. 创建证书申请文件:
  3. cat > server-csr.json << EOF
  4. {
  5. "CN": "kubernetes",
  6. "hosts": [
  7. "10.0.0.1",
  8. "127.0.0.1",
  9. "192.168.100.11",
  10. "192.168.100.12",
  11. "192.168.100.13",
  12. "192.168.100.14",
  13. "192.168.100.15",
  14. "192.168.100.16",
  15. "192.168.100.17",
  16. "192.168.100.100",
  17. "kubernetes",
  18. "kubernetes.default",
  19. "kubernetes.default.svc",
  20. "kubernetes.default.svc.cluster",
  21. "kubernetes.default.svc.cluster.local"
  22. ],
  23. "key": {
  24. "algo": "rsa",
  25. "size": 2048
  26. },
  27. "names": [
  28. {
  29. "C": "CN",
  30. "L": "BeiJing",
  31. "ST": "BeiJing",
  32. "O": "k8s",
  33. "OU": "System"
  34. }
  35. ]
  36. }
  37. EOF
  38. 注:上述文件hosts字段中IP为所有Master/LB/VIP IP,一个都不能少!为了方便后期扩容可以多写几个预留的IP

  1. 生成证书:
  2. cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes server-csr.json | cfssljson -bare server
  3. ls server*pem
  4. server-key.pem server.pem

image_1e9tbgbijhn9jdqlbd1nl59mke9.png-108.6kB

image_1e9tbgropcbc9r33131kuvjcmem.png-163kB

  1. 4.2 Github下载二进制文件
  2. 下载地址: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.18.md#v1183
  3. 注:打开链接你会发现里面有很多包,下载一个server包就够了,包含了MasterWorker Node二进制文件。

  1. 4.3 解压二进制包
  2. mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}
  3. tar zxvf kubernetes-server-linux-amd64.tar.gz
  4. cd kubernetes/server/bin
  5. cp kube-apiserver kube-scheduler kube-controller-manager /opt/kubernetes/bin
  6. cp kubectl /usr/bin/
  7. cp kubectl /usr/local/bin/

image_1e9tc23fom0ulci1i7p1jnlq7uf3.png-128.2kB

image_1e9tc2hbu1nkdu5a14i57q61f2hfg.png-99.5kB

  1. 4.4 部署kube-apiserver
  2. 1. 创建配置文件
  3. cat > /opt/kubernetes/cfg/kube-apiserver.conf << EOF
  4. KUBE_APISERVER_OPTS="--logtostderr=false \\
  5. --v=2 \\
  6. --log-dir=/opt/kubernetes/logs \\
  7. --etcd-servers=https://192.168.100.11:2379,https://192.168.100.12:2379,https://192.168.100.13:2379 \\
  8. --bind-address=192.168.100.11 \\
  9. --secure-port=6443 \\
  10. --advertise-address=192.168.100.11 \\
  11. --allow-privileged=true \\
  12. --service-cluster-ip-range=10.0.0.0/24 \\
  13. --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction \\
  14. --authorization-mode=RBAC,Node \\
  15. --enable-bootstrap-token-auth=true \\
  16. --token-auth-file=/opt/kubernetes/cfg/token.csv \\
  17. --service-node-port-range=30000-32767 \\
  18. --kubelet-client-certificate=/opt/kubernetes/ssl/server.pem \\
  19. --kubelet-client-key=/opt/kubernetes/ssl/server-key.pem \\
  20. --tls-cert-file=/opt/kubernetes/ssl/server.pem \\
  21. --tls-private-key-file=/opt/kubernetes/ssl/server-key.pem \\
  22. --client-ca-file=/opt/kubernetes/ssl/ca.pem \\
  23. --service-account-key-file=/opt/kubernetes/ssl/ca-key.pem \\
  24. --etcd-cafile=/opt/etcd/ssl/ca.pem \\
  25. --etcd-certfile=/opt/etcd/ssl/server.pem \\
  26. --etcd-keyfile=/opt/etcd/ssl/server-key.pem \\
  27. --audit-log-maxage=30 \\
  28. --audit-log-maxbackup=3 \\
  29. --audit-log-maxsize=100 \\
  30. --audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
  31. EOF
  32. ---
  33. 注:上面两个\ \ 第一个是转义符,第二个是换行符,使用转义符是为了使用EOF保留换行符。
  34. logtostderr:启用日志
  35. v:日志等级
  36. log-dir:日志目录
  37. etcd-serversetcd集群地址
  38. bind-address:监听地址
  39. secure-porthttps安全端口
  40. advertise-address:集群通告地址
  41. allow-privileged:启用授权
  42. service-cluster-ip-rangeService虚拟IP地址段
  43. enable-admission-plugins:准入控制模块
  44. authorization-mode:认证授权,启用RBAC授权和节点自管理
  45. enable-bootstrap-token-auth:启用TLS bootstrap机制
  46. token-auth-filebootstrap token文件
  47. service-node-port-rangeService nodeport类型默认分配端口范围
  48. kubelet-client-xxxapiserver访问kubelet客户端证书
  49. tls-xxx-fileapiserver https证书
  50. etcd-xxxfile:连接Etcd集群证书
  51. audit-log-xxx:审计日志
  52. ---

image_1e9tc69c81k71od01unoaog9fcft.png-181.3kB

  1. 2. 拷贝刚才生成的证书
  2. 把刚才生成的证书拷贝到配置文件中的路径:
  3. cp ~/TLS/k8s/ca*pem ~/TLS/k8s/server*pem /opt/kubernetes/ssl/

image_1e9tc8hf911cpkau1jp4di8evcga.png-67.3kB

  1. 3. 启用 TLS Bootstrapping 机制
  2. TLS BootstrapingMaster apiserver启用TLS认证后,Node节点kubeletkube-proxy要与kube-apiserver进行通信,必须使用CA签发的有效证书才可以,当Node节点很多时,这种客户端证书颁发需要大量工作,同样也会增加集群扩展复杂度。为了简化流程,Kubernetes引入了TLS bootstraping机制来自动颁发客户端证书,kubelet会以一个低权限用户自动向apiserver申请证书,kubelet的证书由apiserver动态签署。所以强烈建议在Node上使用这种方式,目前主要用于kubeletkube-proxy还是由我们统一颁发一个证书。
  3. TLS bootstraping 工作流程:

image_1e9tcamdidji1g3k1fpv1ojh1bcogn.png-198.6kB

  1. 创建上述配置文件中token文件:
  2. cat > /opt/kubernetes/cfg/token.csv << EOF
  3. c47ffb939f5ca36231d9e3121a252940,kubelet-bootstrap,10001,"system:node-bootstrapper"
  4. EOF
  5. 格式:token,用户名,UID,用户组
  6. token也可自行生成替换:
  7. head -c 16 /dev/urandom | od -An -t x | tr -d ' '

image_1e9tcchut1k1er41nm11kth1nu3h4.png-33.1kB

  1. 4. systemd管理apiserver
  2. cat > /usr/lib/systemd/system/kube-apiserver.service << EOF
  3. [Unit]
  4. Description=Kubernetes API Server
  5. Documentation=https://github.com/kubernetes/kubernetes
  6. [Service]
  7. EnvironmentFile=/opt/kubernetes/cfg/kube-apiserver.conf
  8. ExecStart=/opt/kubernetes/bin/kube-apiserver \$KUBE_APISERVER_OPTS
  9. Restart=on-failure
  10. [Install]
  11. WantedBy=multi-user.target
  12. EOF

image_1e9tcemk61mlq8531l1mgks10b9hh.png-104kB

  1. 5. 启动并设置开机启动
  2. systemctl daemon-reload
  3. systemctl start kube-apiserver
  4. systemctl enable kube-apiserver

image_1e9tcgcq7i41168t1j37rmfrpehu.png-59.1kB

  1. 6. 授权kubelet-bootstrap用户允许请求证书
  2. kubectl create clusterrolebinding kubelet-bootstrap \
  3. --clusterrole=system:node-bootstrapper \
  4. --user=kubelet-bootstrap

image_1e9tchrac183fukjjtr11gj1p0oib.png-48.2kB

  1. 4.5 部署kube-controller-manager
  2. 1. 创建配置文件
  3. cat > /opt/kubernetes/cfg/kube-controller-manager.conf << EOF
  4. KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false \\
  5. --v=2 \\
  6. --log-dir=/opt/kubernetes/logs \\
  7. --leader-elect=true \\
  8. --master=127.0.0.1:8080 \\
  9. --bind-address=127.0.0.1 \\
  10. --allocate-node-cidrs=true \\
  11. --cluster-cidr=10.244.0.0/16 \\
  12. --service-cluster-ip-range=10.0.0.0/24 \\
  13. --cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem \\
  14. --cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem \\
  15. --root-ca-file=/opt/kubernetes/ssl/ca.pem \\
  16. --service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem \\
  17. --experimental-cluster-signing-duration=87600h0m0s"
  18. EOF

image_1e9tcjddm103o6me1uurpv754cio.png-122.4kB

  1. master:通过本地非安全本地端口8080连接apiserver
  2. leader-elect:当该组件启动多个时,自动选举(HA
  3. cluster-signing-cert-file/–cluster-signing-key-file:自动为kubelet颁发证书的CA,与apiserver保持一致

  1. 2. systemd管理controller-manager
  2. cat > /usr/lib/systemd/system/kube-controller-manager.service << EOF
  3. [Unit]
  4. Description=Kubernetes Controller Manager
  5. Documentation=https://github.com/kubernetes/kubernetes
  6. [Service]
  7. EnvironmentFile=/opt/kubernetes/cfg/kube-controller-manager.conf
  8. ExecStart=/opt/kubernetes/bin/kube-controller-manager \$KUBE_CONTROLLER_MANAGER_OPTS
  9. Restart=on-failure
  10. [Install]
  11. WantedBy=multi-user.target
  12. EOF

image_1e9tcl80n14er64e12944l71krsj5.png-83.2kB

  1. 3. 启动并设置开机启动
  2. systemctl daemon-reload
  3. systemctl start kube-controller-manager
  4. systemctl enable kube-controller-manager

image_1e9tcmh88gr7141rt2i1lan1mufji.png-46kB


  1. 4.6 部署kube-scheduler
  2. 1. 创建配置文件
  3. cat > /opt/kubernetes/cfg/kube-scheduler.conf << EOF
  4. KUBE_SCHEDULER_OPTS="--logtostderr=false \
  5. --v=2 \
  6. --log-dir=/opt/kubernetes/logs \
  7. --leader-elect \
  8. --master=127.0.0.1:8080 \
  9. --bind-address=127.0.0.1"
  10. EOF

image_1e9tcoekv1nh11ltcdrieii12jtjv.png-64.6kB

  1. master:通过本地非安全本地端口8080连接apiserver
  2. leader-elect:当该组件启动多个时,自动选举(HA
  1. 2. systemd管理scheduler
  2. cat > /usr/lib/systemd/system/kube-scheduler.service << EOF
  3. [Unit]
  4. Description=Kubernetes Scheduler
  5. Documentation=https://github.com/kubernetes/kubernetes
  6. [Service]
  7. EnvironmentFile=/opt/kubernetes/cfg/kube-scheduler.conf
  8. ExecStart=/opt/kubernetes/bin/kube-scheduler \$KUBE_SCHEDULER_OPTS
  9. Restart=on-failure
  10. [Install]
  11. WantedBy=multi-user.target
  12. EOF

image_1e9tcq6v3ppo1da1rio4bvu5kc.png-85.9kB

  1. 3. 启动并设置开机启动
  2. systemctl daemon-reload
  3. systemctl start kube-scheduler
  4. systemctl enable kube-scheduler

image_1e9tcs3kp1kda5eb679s0s8agkp.png-63.7kB

  1. 4. 查看集群状态
  2. 所有组件都已经启动成功,通过kubectl工具查看当前集群组件状态:
  3. kubectl get cs
  4. 如上输出说明Master节点组件运行正常。

image_1e9tctbpl12qp12deac8bih61rl6.png-51.3kB


五、部署Worker Node

  1. 下面还是在Master Node上操作,即同时作为Worker Node
  2. 5.1 创建工作目录并拷贝二进制文件
  3. 在所有worker node创建工作目录:
  4. mkdir -p /opt/kubernetes/{bin,cfg,ssl,logs}

image_1eapjj3f0c5b1ths12cpebs1g921g.png-15.6kB

image_1eapjjfvb1o4e1col1rmc1mqp7iu1t.png-22.1kB

  1. master节点拷贝
  2. cd /software/k8s/kubernetes/server/bin
  3. cp kubelet kube-proxy /opt/kubernetes/bin # 本地拷贝

image_1eapjij4q1u9ur0lssom8c1anl13.png-92kB

  1. master 节点上面执行
  2. 5.2 部署kubelet
  3. 1. 创建配置文件
  4. cat > /opt/kubernetes/cfg/kubelet.conf << EOF
  5. KUBELET_OPTS="--logtostderr=false \\
  6. --v=2 \\
  7. --log-dir=/opt/kubernetes/logs \\
  8. --hostname-override=node01.flyfish \\
  9. --network-plugin=cni \\
  10. --kubeconfig=/opt/kubernetes/cfg/kubelet.kubeconfig \\
  11. --bootstrap-kubeconfig=/opt/kubernetes/cfg/bootstrap.kubeconfig \\
  12. --config=/opt/kubernetes/cfg/kubelet-config.yml \\
  13. --cert-dir=/opt/kubernetes/ssl \\
  14. --pod-infra-container-image=lizhenliang/pause-amd64:3.0"
  15. EOF
  16. -----
  17. hostname-override:显示名称,集群中唯一
  18. network-plugin:启用CNI
  19. kubeconfig:空路径,会自动生成,后面用于连接apiserver
  20. bootstrap-kubeconfig:首次启动向apiserver申请证书
  21. config:配置参数文件
  22. cert-dirkubelet证书生成目录
  23. pod-infra-container-image:管理Pod网络容器的镜像
  24. ---

image_1eanss1ugvjol671uic1cj7ncbm.png-88.6kB

  1. 2. 配置参数文件
  2. cat > /opt/kubernetes/cfg/kubelet-config.yml << EOF
  3. kind: KubeletConfiguration
  4. apiVersion: kubelet.config.k8s.io/v1beta1
  5. address: 0.0.0.0
  6. port: 10250
  7. readOnlyPort: 10255
  8. cgroupDriver: cgroupfs
  9. clusterDNS:
  10. - 10.0.0.2
  11. clusterDomain: cluster.local
  12. failSwapOn: false
  13. authentication:
  14. anonymous:
  15. enabled: false
  16. webhook:
  17. cacheTTL: 2m0s
  18. enabled: true
  19. x509:
  20. clientCAFile: /opt/kubernetes/ssl/ca.pem
  21. authorization:
  22. mode: Webhook
  23. webhook:
  24. cacheAuthorizedTTL: 5m0s
  25. cacheUnauthorizedTTL: 30s
  26. evictionHard:
  27. imagefs.available: 15%
  28. memory.available: 100Mi
  29. nodefs.available: 10%
  30. nodefs.inodesFree: 5%
  31. maxOpenFiles: 1000000
  32. maxPods: 110
  33. EOF

image_1eanssm7s11mlk2f11rn6t81trk13.png-163kB

  1. server节点上面执行
  2. 3. 生成bootstrap.kubeconfig文件
  3. 写一个boot.sh 脚本 把下面的内容放进去
  4. ---
  5. KUBE_APISERVER="https://192.168.100.11:6443" # apiserver IP:PORT
  6. TOKEN="c47ffb939f5ca36231d9e3121a252940" # 与token.csv里保持一致
  7. # 生成 kubelet bootstrap kubeconfig 配置文件
  8. kubectl config set-cluster kubernetes \
  9. --certificate-authority=/opt/kubernetes/ssl/ca.pem \
  10. --embed-certs=true \
  11. --server=${KUBE_APISERVER} \
  12. --kubeconfig=bootstrap.kubeconfig
  13. kubectl config set-credentials "kubelet-bootstrap" \
  14. --token=${TOKEN} \
  15. --kubeconfig=bootstrap.kubeconfig
  16. kubectl config set-context default \
  17. --cluster=kubernetes \
  18. --user="kubelet-bootstrap" \
  19. --kubeconfig=bootstrap.kubeconfig
  20. kubectl config use-context default --kubeconfig=bootstrap.kubeconfig
  21. ---
  22. . ./boot.sh

image_1eansvvl11gpppu13ip1hsfho91g.png-78.3kB

  1. 拷贝到配置文件路径:
  2. cp bootstrap.kubeconfig /opt/kubernetes/cfg

image_1eant0mp11f8c1nq5i0men11pk21t.png-78.3kB

  1. 4. systemd管理kubelet
  2. cat > /usr/lib/systemd/system/kubelet.service << EOF
  3. [Unit]
  4. Description=Kubernetes Kubelet
  5. After=docker.service
  6. [Service]
  7. EnvironmentFile=/opt/kubernetes/cfg/kubelet.conf
  8. ExecStart=/opt/kubernetes/bin/kubelet \$KUBELET_OPTS
  9. Restart=on-failure
  10. LimitNOFILE=65536
  11. [Install]
  12. WantedBy=multi-user.target
  13. EOF

image_1eant27q0qmo70411cbqrf1a3e2d.png-90.8kB

  1. 5. 启动并设置开机启动
  2. systemctl daemon-reload
  3. systemctl start kubelet
  4. systemctl enable kubelet

image_1eant2rnu5je1l7f9ab1gmem9k2q.png-75kB

  1. 5.3 批准kubelet证书申请并加入集群
  2. # 查看kubelet证书请求
  3. kubectl get csr

image_1eapjnikc1p50tj5lqa3v8ai2a.png-68.7kB

  1. # 批准申请
  2. kubectl certificate approve node-csr--vTFwyeAv5dSatbGrgpJptwQ5Fc_WvLpmYgdQN4bvaI

image_1eant82su1kis1v7f127v1n9776v3k.png-70kB

image_1e9teu80b1d8t1ta8139hl481rtlqf.png-37.3kB

  1. 注:由于网络插件还没有部署,节点会没有准备就绪 NotReady
  1. 5.4 部署kube-proxy
  2. 1. 创建配置文件
  3. cat > /opt/kubernetes/cfg/kube-proxy.conf << EOF
  4. KUBE_PROXY_OPTS="--logtostderr=false \\
  5. --v=2 \\
  6. --log-dir=/opt/kubernetes/logs \\
  7. --config=/opt/kubernetes/cfg/kube-proxy-config.yml"
  8. EOF

image_1eapjpjvm19pi11601vncv2q15ps2n.png-56.5kB

  1. 2. 配置参数文件
  2. cat > /opt/kubernetes/cfg/kube-proxy-config.yml << EOF
  3. kind: KubeProxyConfiguration
  4. apiVersion: kubeproxy.config.k8s.io/v1alpha1
  5. bindAddress: 0.0.0.0
  6. metricsBindAddress: 0.0.0.0:10249
  7. clientConnection:
  8. kubeconfig: /opt/kubernetes/cfg/kube-proxy.kubeconfig
  9. hostnameOverride: node01.flyfish
  10. clusterCIDR: 10.0.0.0/24
  11. mode: ipvs
  12. ipvs:
  13. scheduler: "rr"
  14. iptables:
  15. masqueradeAll: true
  16. EOF

image_1eapjqdev1tc2vio1ou81u8v2ja34.png-115.1kB

  1. # 切换工作目录
  2. cd /root/TLS/k8s
  3. # 创建证书请求文件
  4. cat > kube-proxy-csr.json << EOF
  5. {
  6. "CN": "system:kube-proxy",
  7. "hosts": [],
  8. "key": {
  9. "algo": "rsa",
  10. "size": 2048
  11. },
  12. "names": [
  13. {
  14. "C": "CN",
  15. "L": "BeiJing",
  16. "ST": "BeiJing",
  17. "O": "k8s",
  18. "OU": "System"
  19. }
  20. ]
  21. }
  22. EOF
  23. ---
  24. # 生成证书
  25. cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=kubernetes kube-proxy-csr.json | cfssljson -bare kube-proxy
  26. ls kube-proxy*pem
  27. kube-proxy-key.pem kube-proxy.pem
  28. cp -p kube-proxy-key.pem kube-proxy.pem /opt/kubernetes/ssl/

image_1eapjsne74vb3v7ipb4mq1iiq3h.png-209kB

image_1eapjt3pu1gru1p4p12vj6ds17a93u.png-141kB

  1. 生成kubeconfig文件:
  2. cd /opt/kubernetes/ssl/
  3. vim kubeconfig.sh
  4. ---
  5. KUBE_APISERVER="https://192.168.100.11:6443"
  6. kubectl config set-cluster kubernetes \
  7. --certificate-authority=/opt/kubernetes/ssl/ca.pem \
  8. --embed-certs=true \
  9. --server=${KUBE_APISERVER} \
  10. --kubeconfig=kube-proxy.kubeconfig
  11. kubectl config set-credentials kube-proxy \
  12. --client-certificate=./kube-proxy.pem \
  13. --client-key=./kube-proxy-key.pem \
  14. --embed-certs=true \
  15. --kubeconfig=kube-proxy.kubeconfig
  16. kubectl config set-context default \
  17. --cluster=kubernetes \
  18. --user=kube-proxy \
  19. --kubeconfig=kube-proxy.kubeconfig
  20. kubectl config use-context default --kubeconfig=kube-proxy.kubeconfig
  21. ---
  22. . ./kubeconfig.sh
  23. cp -p kube-proxy.kubeconfig /opt/kubernetes/cfg/

image_1eapjvsbq1o5bkd8gvv2091v4i55.png-183.1kB

image_1eapjvdo4o1m135ienkcsd1h6d4o.png-73.4kB

  1. 4. systemd管理kube-proxy
  2. cat > /usr/lib/systemd/system/kube-proxy.service << EOF
  3. [Unit]
  4. Description=Kubernetes Proxy
  5. After=network.target
  6. [Service]
  7. EnvironmentFile=/opt/kubernetes/cfg/kube-proxy.conf
  8. ExecStart=/opt/kubernetes/bin/kube-proxy \$KUBE_PROXY_OPTS
  9. Restart=on-failure
  10. LimitNOFILE=65536
  11. [Install]
  12. WantedBy=multi-user.target
  13. EOF

image_1eapk0vdp7dvd661ma21eqd2q95i.png-79.3kB

  1. 5. 启动并设置开机启动
  2. systemctl daemon-reload
  3. systemctl start kube-proxy
  4. systemctl enable kube-proxy

image_1eapk1en5132uare1ov11god1olk5v.png-58.3kB

  1. 5.5 部署CNI网络
  2. 先准备好CNI二进制文件:
  3. 下载地址:https://github.com/containernetworking/plugins/releases/download/v0.8.6/cni-plugins-linux-amd64-v0.8.6.tgz
  4. 解压二进制包并移动到默认工作目录:
  5. mkdir /opt/cni/bin -p
  6. tar zxvf cni-plugins-linux-amd64-v0.8.6.tgz -C /opt/cni/bin

image_1eapk39gj2cs1n931o0rc6u1s8b6s.png-109.2kB

  1. 部署CNI网络:
  2. wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
  3. sed -i -r "s#quay.io/coreos/flannel:.*-amd64#lizhenliang/flannel:v0.12.0-amd64#g" kube-flannel.yml

image_1eapk4ggk12a212rc15harmk1mm79.png-167.5kB

  1. kubectl apply -f kube-flannel.yml
  2. kubectl get pods -n kube-system
  3. 部署好网络插件,Node准备就绪。
  4. kubectl get node

image_1eapk5geh2ngvqsanoqcp11vt7m.png-137.9kB

image_1eapk61qb1sevp081d38ll21vdb83.png-48.7kB


  1. 5.6 授权apiserver访问kubelet
  2. cat > apiserver-to-kubelet-rbac.yaml << EOF
  3. apiVersion: rbac.authorization.k8s.io/v1
  4. kind: ClusterRole
  5. metadata:
  6. annotations:
  7. rbac.authorization.kubernetes.io/autoupdate: "true"
  8. labels:
  9. kubernetes.io/bootstrapping: rbac-defaults
  10. name: system:kube-apiserver-to-kubelet
  11. rules:
  12. - apiGroups:
  13. - ""
  14. resources:
  15. - nodes/proxy
  16. - nodes/stats
  17. - nodes/log
  18. - nodes/spec
  19. - nodes/metrics
  20. - pods/log
  21. verbs:
  22. - "*"
  23. ---
  24. apiVersion: rbac.authorization.k8s.io/v1
  25. kind: ClusterRoleBinding
  26. metadata:
  27. name: system:kube-apiserver
  28. namespace: ""
  29. roleRef:
  30. apiGroup: rbac.authorization.k8s.io
  31. kind: ClusterRole
  32. name: system:kube-apiserver-to-kubelet
  33. subjects:
  34. - apiGroup: rbac.authorization.k8s.io
  35. kind: User
  36. name: kubernetes
  37. EOF
  38. ---
  39. kubectl apply -f apiserver-to-kubelet-rbac.yaml

image_1e9tgdpn01cjs1lg64gs1an9sc7vo.png-115.4kB

image_1e9tge5i616qm1e9dk401ifh211105.png-40.9kB

  1. 5.7 新增加Worker Node
  2. 1. 拷贝已部署好的Node相关文件到新节点
  3. master节点将Worker Node涉及文件拷贝到新节点192.168.100.13 上面
  4. scp -r /opt/kubernetes root@192.168.100.12:/opt/
  5. scp -r /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@192.168.100.12:/usr/lib/systemd/system
  6. scp -r /opt/cni/ root@192.168.100.12:/opt/
  7. scp /opt/kubernetes/ssl/ca.pem root@192.168.100.12:/opt/kubernetes/ssl

image_1eapkbdkb5al12bo1prd1aol105g8g.png-127.2kB

image_1eapkk0k91cbksk3vca1j6cc4va7.png-148.3kB


  1. 2. 删除kubelet证书和kubeconfig文件
  2. rm -rf /opt/kubernetes/cfg/kubelet.kubeconfig
  3. rm -rf /opt/kubernetes/ssl/kubelet*

image_1eapkdp162c6gb3b991bsq1oo59q.png-32.1kB

image_1eapkdcop1esm1vu01nk8mppj159d.png-37.6kB

  1. 3. 修改主机名
  2. vim /opt/kubernetes/cfg/kubelet.conf
  3. --hostname-override=node02.flyfish
  4. vim /opt/kubernetes/cfg/kube-proxy-config.yml
  5. hostnameOverride: node02.flyfish

  1. 4. 启动并设置开机启动
  2. systemctl daemon-reload
  3. systemctl start kubelet
  4. systemctl enable kubelet
  5. systemctl start kube-proxy
  6. systemctl enable kube-proxy

image_1e9u4ke6018vnr7d1i7h18fifti13.png-100.7kB

  1. 5. Master上批准新Node kubelet证书申请
  2. kubectl get csr

image_1eapkpbv81t8hl6urmg155o16vpak.png-72.9kB

  1. kubectl certificate approve node-csr-qFbDvbTwo9SP2ZEDyiKfXCBGxO4n4Qe7FCehyPKiXNc

image_1eapkr5nud7s1iqv1ceikks17j1be.png-38.5kB

增加 一个 work节点:

  1. 增加 一个 work节点:
  2. scp -r /opt/kubernetes root@192.168.100.13:/opt/
  3. scp -r /usr/lib/systemd/system/{kubelet,kube-proxy}.service root@192.168.100.13:/usr/lib/systemd/system
  4. scp -r /opt/cni/ root@192.168.100.13:/opt/
  5. scp /opt/kubernetes/ssl/ca.pem root@192.168.100.13:/opt/kubernetes/ssl

image_1eapkut0i106up8i1gstndi92dc8.png-161.9kB

image_1eapkva731l8o1as21fnactq1470cl.png-241.3kB

  1. 2. 删除kubelet证书和kubeconfig文件
  2. rm -rf /opt/kubernetes/cfg/kubelet.kubeconfig
  3. rm -rf /opt/kubernetes/ssl/kubelet*

image_1eapl0vki19k31kgr1lr9vna1htd2.png-41.6kB

  1. 3. 修改主机名
  2. vim /opt/kubernetes/cfg/kubelet.conf
  3. --hostname-override=node03.flyfish
  4. vim /opt/kubernetes/cfg/kube-proxy-config.yml
  5. hostnameOverride: node03.flyfish

image_1eapl3bn74r1d4hf3o1v9s13modf.png-51.7kB

  1. 4. 启动并设置开机启动
  2. systemctl daemon-reload
  3. systemctl start kubelet
  4. systemctl enable kubelet
  5. systemctl start kube-proxy
  6. systemctl enable kube-proxy

image_1eapl4psu1t3l132b3br14ri1k8uds.png-103.4kB

  1. 5. Master上批准新Node kubelet证书申请
  2. kubectl get csr
  3. kubectl certificate approve node-csr-5ZsKjw2Udxrc97q4MtShig83PUJww7E3y_2mpvkMZr0

image_1eapl79ddt9pid81djg6321flqe9.png-146.2kB

  1. kubectl get node

image_1eaplag0p1dcr13o2tpv1p6n11ctf3.png-52.2kB

六、部署Dashboard和CoreDNS

  1. 6.1 部署Dashboard
  2. $ wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-beta8/aio/deploy/recommended.yaml
  3. 默认Dashboard只能集群内部访问,修改ServiceNodePort类型,暴露到外部:
  4. vim recommended.yaml
  5. ----
  6. kind: Service
  7. apiVersion: v1
  8. metadata:
  9. labels:
  10. k8s-app: kubernetes-dashboard
  11. name: kubernetes-dashboard
  12. namespace: kubernetes-dashboard
  13. spec:
  14. ports:
  15. - port: 443
  16. targetPort: 8443
  17. nodePort: 30001
  18. type: NodePort
  19. selector:
  20. k8s-app: kubernetes-dashboard
  21. ----

image_1eaplkvlu1r9ntbh17eg5gs16f0fg.png-81.4kB

image_1eapllvdl1oes15631gir13g79jqft.png-270.3kB

image_1eaplmb5oun4tepobq19a6gn5ga.png-128.7kB

  1. kubectl get pods,svc -n kubernetes-dashboard

image_1eapln8uprie1ov81gjl4b61me1gn.png-78.5kB

  1. 访问地址:https://NodeIP:30001
  2. 创建service account并绑定默认cluster-admin管理员集群角色:
  3. kubectl create serviceaccount dashboard-admin -n kube-system
  4. kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
  5. kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')

image_1eaplpmr21e7g18cl19alt7p1j77hh.png-269.1kB

image_1eaploq769d25e1q8u19c018sfh4.png-254.1kB

image_1eaplqg961e774ilkb4173hd7ihu.png-380kB

image_1eaplrdj018v0afs7qtefh1l1eib.png-451.9kB

6.2 部署CoreDNS

  1. CoreDNS用于集群内部Service名称解析。
  2. kubectl apply -f coredns.yaml

image_1eapmkg6u75n16uauov1kkri76io.png-68.8kB

image_1eapmm78a1f08ghb1al21tht1sckj5.png-58.5kB

  1. DNS解析测试:
  2. kubectl run -it --rm dns-test --image=busybox:1.28.4 sh
  3. nslookup kubernetes

image_1eapmodr11dfc1hpt4b5rg1khfji.png-64.6kB

  1. 报错记录
  2. 创建apiserverkubelet的权限,就是没有给kubernetes用户rbac授权
  3. error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy)
  4. ----
  5. cat > apiserver-to-kubelet.yaml <<EOF
  6. apiVersion: rbac.authorization.k8s.io/v1
  7. kind: ClusterRole
  8. metadata:
  9. annotations:
  10. rbac.authorization.kubernetes.io/autoupdate: "true"
  11. labels:
  12. kubernetes.io/bootstrapping: rbac-defaults
  13. name: system:kubernetes-to-kubelet
  14. rules:
  15. - apiGroups:
  16. - ""
  17. resources:
  18. - nodes/proxy
  19. - nodes/stats
  20. - nodes/log
  21. - nodes/spec
  22. - nodes/metrics
  23. verbs:
  24. - "*"
  25. ---
  26. apiVersion: rbac.authorization.k8s.io/v1
  27. kind: ClusterRoleBinding
  28. metadata:
  29. name: system:kubernetes
  30. namespace: ""
  31. roleRef:
  32. apiGroup: rbac.authorization.k8s.io
  33. kind: ClusterRole
  34. name: system:kubernetes-to-kubelet
  35. subjects:
  36. - apiGroup: rbac.authorization.k8s.io
  37. kind: User
  38. name: kubernetes
  39. EOF
  40. ----
  41. kubectl apply -f apiserver-to-kubelet.yaml

image_1epi4qo9m1mk61qfh19tcl241uqo9.png-167.5kB

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注