kubernetes1.9用kubeadm安裝(包含calico、dashboard)
基礎環境
關閉防火牆 selinux
1 2 |
$ systemctl stop firewalld && systemctl disable firewalld $ setenforce 0 |
開啟forward sysctl -w net.ipv4.ip_forward=1
關閉swap
swapoff -a 再把/etc/fstab檔案中帶有swap的行刪了,沒有就無視
裝這兩工具如果沒裝的話
yum install -y ebtables socat
IPv4 iptables 鏈設定 CNI外掛需要
sysctl net.bridge.bridge-nf-call-iptables=1
牆外安裝
在國內是很難使用這種方式安裝了,推薦檢視離線安裝的方案
裝docker
yum install -y docker systemctl enable docker && systemctl start docker
裝kubeadm kubectl kubelet
1 2 3 4 5 6 7 8 9 10 11 12 13 |
cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg EOF setenforce 0 yum install -y kubelet kubeadm kubectl systemctl enable kubelet && systemctl start kubelet |
關閉SElinux
setenforce 0
cat < /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF sysctl –system
然後與離線安裝啟動master無異, kubeadm init
離線安裝
福利,我已經把所有依賴的映象,二進位制檔案,配置檔案都打成了包,解決您所有依賴,花了很多時間整理這個,放在了阿里雲市場上,希望大家給點小支援 賞我一杯咖啡
這包裡面把大部分操作都寫在簡單的腳本里面了,在master節點執行 init-master.sh 在node節點執行init-node.sh 安裝dashboard執行init-dashboard.sh。
然後就可以在node節點執行master輸出出來的join命令了。包的最大價值在於沒有任何依賴了,再也不用訪問不了國外某網而頭疼了。
安裝kubelet服務,和kubeadm
下載bin檔案 地址
把下載好的kubelet kubectl kubeadm 直接拷貝到/usr/bin下面
配置kubelet systemd服務
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
cat <<EOF > /etc/systemd/system/kubelet.service [Unit] Description=kubelet: The Kubernetes Node Agent Documentation=http://kubernetes.io/docs/ [Service] ExecStart=/usr/bin/kubelet Restart=always StartLimitInterval=0 RestartSec=10 [Install] WantedBy=multi-user.target EOF |
1 2 3 4 5 6 7 8 9 10 11 12 13 |
cat <<EOF > /etc/systemd/system/kubelet.service.d/10-kubeadm.conf [Service] Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf" Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true" Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin" Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local" Environment="KUBELET_AUTHZ_ARGS=--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt" Environment="KUBELET_CADVISOR_ARGS=--cadvisor-port=0" Environment="KUBELET_CGROUP_ARGS=--cgroup-driver=cgroupfs" Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki" ExecStart= ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CADVISOR_ARGS $KUBELET_CGROUP_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_EXTRA_ARGS EOF |
這裡需要主意的是要看一下docker的cgroup driver與 –cgroup-driver要一致。 可以用 docker info |grep Cgroup 檢視,有可能是systemd 或者 cgroupfs
增加主機名解析
為了防止無法解析主機名,修改/etc/hosts把主機名與ip的對映寫上
啟動master節點
這裡得把google的一票映象想辦法弄下來
1 |
kubeadm init --pod-network-cidr=192.168.0.0/16 --kubernetes-version v1.8.0 --skip-preflight-checks |
- –pod-network-cidr 引數安裝calico網路時需要
- –kubernetes-version 不加的話會去請求公網查詢版本資訊
- –skip-preflight-checks 解決一個kubelet目錄不空的小bug
看到這些輸出時你便成功了:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
To start using your cluster, you need to run (as a regular user): mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config You should now deploy a pod network to the cluster. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: http://kubernetes.io/docs/admin/addons/ You can now join any number of machines by running the following on each node as root: kubeadm join --token <token> <master-ip>:<master-port> --discovery-token-ca-cert-hash sha256:<hash> |
照著執行:
1 2 3 |
mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config |
安裝calico網路
1 |
kubectl apply -f https://docs.projectcalico.org/v2.6/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml |
join node節點
同樣到node節點安裝kubelet和kubeadm,和master節點操作一樣,不再贅述。 然後執行master節點init輸出的那個命令:
1 |
kubeadm join --token <token> <master-ip>:<master-port> --discovery-token-ca-cert-hash sha256:<hash> |
執行完成後在master節點用kubectl驗證節點是否健康
1 2 3 |
[[email protected] ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION dev-86-202 NotReady master 17h v1.8.1 |
注意,master節點預設是不作為node的,也不推薦做node節點。 如果需要把master當node:
1 |
[[email protected] ~]# kubectl taint nodes --all node-role.kubernetes.io/master- |
安裝dashboard
安裝dashboard不難,使用時還真有點繞,主要是RBAC, 先介紹個簡單的
1 |
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/alternative/kubernetes-dashboard.yaml |
安裝完之後, 使用nodeport方式訪問
1 |
kubectl -n kube-system edit service kubernetes-dashboard |
把type: ClusterIP 改成 type: NodePort 然後儲存
1 2 3 |
$ kubectl -n kube-system get service kubernetes-dashboard NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes-dashboard 10.100.124.90 <nodes> 443:31707/TCP 21h |
https://masterip:31707 就可以訪問dashboard了, 然而 。。 還不能用。
建立一個 dashboard-admin.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: kubernetes-dashboard labels: k8s-app: kubernetes-dashboard roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kubernetes-dashboard namespace: kube-system |
kubectl create -f dashboard-admin.yaml
然後在介面上直接點skip就可以了,不過你懂的,這很不安全。 真正安全的做法 請關注我進一步討論:https://github.com/fanux
給節點加上角色
1 |
kubectl label node node1 kubernetes.io/role=node |
常見問題
kubelet服務啟動不了?
cgroup driver配置要相同
檢視docker cgroup driver:
1 |
docker info|grep Cgroup |
有systemd和cgroupfs兩種,把kubelet service配置改成與docker一致
vim /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
KUBELET_CGROUP_ARGS=–cgroup-driver=cgroupfs #這個配置與docker改成一致
節點not ready ?
建議安裝calico網路,如果要把主節點當成node節點需要加個命令:
1 |
[[email protected] ~]# kubectl taint nodes --all node-role.kubernetes.io/master- |
dashboard 訪問不了?
如果是NodePort方式訪問,那需要知道dashboard服務具體排程到哪個節點上去了。訪問那個節點的ip而不是master的ip。 不行的話把https 改成http試試。
檢視具體在哪個節點
1 |
kubectl get pod -n kube-system -o wide |
拉取映象失敗?
可以把node節點與master節點的映象都在每個節點load一下。
dashboard crash, dns起不來?
可以把node節點與master節點的映象都在每個節點load一下。
192.168網段與calico網段衝突?
如果你恰好也是192.168網段,那麼建議修改一下calico的網段
這樣init
1 |
kubeadm init --pod-network-cidr=192.168.122.0/24 --kubernetes-version v1.8.1 |
修改calico.yaml
1 2 3 4 5 6 7 8 9 10 |
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "ACCEPT" # Configure the IP Pool from which Pod IPs will be chosen. - name: CALICO_IPV4POOL_CIDR value: "192.168.122.0/24" - name: CALICO_IPV4POOL_IPIP value: "always" # Disable IPv6 on Kubernetes. - name: FELIX_IPV6SUPPORT value: "false" |
dns 半天起不來?
dns映象如果load成功了的話,可能是機器配置太低,起的會非常慢,有朋友 單核2G上15分鐘沒啟動成功。 建議雙核4G以上資源
如果還起不來請kubeadm reset重來一下,有客戶是通過這種方式解決這個問題的.
kubelet unhealthy?
1 2 3 |
[kubelet-check] The HTTP call equal to 'curl -sSL http://localhost:10255/healthz/syncloop' failed with error: Get http://localhost:10255/healthz/syncloop: dial tcp 127.0.0.1:10255: getsockopt: connection refused. [kubelet-check] It seems like the kubelet isn't running or healthy. |
可能是manifast已經存在,刪除即可:
1 |
[[email protected] kubeadm]# rm -rf /etc/kubernetes/manifests |
時間超過24小時,節點加不進去?
1 2 3 |
[[email protected] test]# kubeadm token create [kubeadm] WARNING: starting in 1.8, tokens expire after 24 hours by default (if you require a non-expiring token use --ttl 0) 887ac7.e82f0e13ad72c367 |
上面命令重新生成一下token,執行kubeadm join 時用上面的token替換一下,如果想永遠不過期init時把ttl設定成0
–token-ttl duration
calico pod 中一個容器起不來,Calico node ‘xxx’ is already using the IPv4 address 192.168.152.65
1 2 |
rm -rf /var/etcd/ kubeadm reset |
重灌
卡在拉映象的地方
關閉防火牆和selinux
1 2 |
$ systemctl stop firewalld && systemctl disable firewalld $ setenforce 0 |
1 2 3 |
$ echo 'Environment="KUBELET_EXTRA_ARGS=--fail-swap-on=false"' > /etc/systemd/system/kubelet.service.d/90-local-extras.conf $ systemctl daemon-reload $ systemctl restart kubelet |
Failed to get system container stats for “/system.slice/docker.service”
kubelet啟動引數加:
1 |
--runtime-cgroups=/systemd/system.slice --kubelet-cgroups=/systemd/system.slice |
節點無法加入
dns沒起來就join,或者伺服器時間沒同步
使用配置檔案指定外部etcd叢集
config.yaml:
1 2 3 4 5 6 7 8 |
apiVersion: kubeadm.k8s.io/v1alpha1 kind: MasterConfiguration etcd: endpoints: - http://10.1.245.94:2379 networking: podSubnet: 192.168.0.0/16 kubernetesVersion: v1.8.1 |
etcd.yaml:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
version: '2' services: etcd: container_name: etcd_infra0 image: quay.io/coreos/etcd:v3.1.10 command: | etcd --name infra0 --initial-advertise-peer-urls http://10.1.245.94:2380 --listen-peer-urls http://10.1.245.94:2380 --listen-client-urls http://10.1.245.94:2379,http://127.0.0.1:2379 --advertise-client-urls http://10.1.245.94:2379 --data-dir /etcd-data.etcd --initial-cluster-token etcd-cluster-1 -initial-cluster infra0=http://10.1.245.94:2380 --initial-cluster-state new volumes: - /data/etcd-data.etcd:/etcd-data.etcd network_mode: "host" |
1 2 3 |
$ pip install docker-compose $ docker-compose -f etcd.yaml up -d $ kubeadm init --config config.yaml |