Author: ACatSmiling
Since: 2024-10-17
配置要求
伺服器要求:
- k8s-master:192.168.1.120。
- k8s-node1:192.168.1.121。
- k8s-node1:192.168.1.122。
每臺伺服器最低配置:2 核、2G 記憶體、20G 硬碟。
使用 Hyper-V 時,注意配置動態記憶體的最小值:
作業系統
[root@k8s-master k8s]# cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)
[root@k8s-master k8s]# uname -r
3.10.0-1160.el7.x86_64
[root@k8s-master k8s]# uname -a
Linux k8s-master 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
設定 hostname
[root@k8s-master ~]# hostnamectl set-hostname k8s-master
- 修改 hostname 後,需要重啟虛擬機器。
設定 hosts
[root@k8s-master ~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.120 k8s-master
192.168.1.121 k8s-node1
192.168.1.122 k8s-node2
關閉防火牆
# 檢視防火牆狀態
[root@k8s-master ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-08-27 23:20:58 CST; 21min ago
Docs: man:firewalld(1)
Main PID: 549 (firewalld)
CGroup: /system.slice/firewalld.service
└─549 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Aug 27 23:20:58 master systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 27 23:20:58 master systemd[1]: Started firewalld - dynamic firewall daemon.
Aug 27 23:20:58 master firewalld[549]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will... it now.
Hint: Some lines were ellipsized, use -l to show in full.
# 關閉防火牆
[root@k8s-master ~]# systemctl stop firewalld
# 禁止防火牆開機自啟
[root@k8s-master ~]# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@k8s-master ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: man:firewalld(1)
Aug 27 23:20:58 master systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 27 23:20:58 master systemd[1]: Started firewalld - dynamic firewall daemon.
Aug 27 23:20:58 master firewalld[549]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will... it now.
Aug 27 23:42:27 master systemd[1]: Stopping firewalld - dynamic firewall daemon...
Aug 27 23:42:28 master systemd[1]: Stopped firewalld - dynamic firewall daemon.
Hint: Some lines were ellipsized, use -l to show in full.
$ systemctl stop firewalld $ systemctl disable firewalld
關閉 swap
[root@k8s-master ~]# free -m
total used free shared buff/cache available
Mem: 3950 2286 918 8 745 1437
Swap: 4095 0 4095
[root@k8s-master ~]# cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Thu Aug 22 23:53:48 2024
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=f724baab-c349-497d-ba1f-da8f619fdf89 / xfs defaults 0 0
UUID=F0B8-EAC5 /boot/efi vfat umask=0077,shortname=winnt 0 0
UUID=94ca6141-23b0-4eff-ab4f-ae74b1cfe406 swap swap defaults 0 0
# 永久關閉 swap
[root@k8s-master ~]# sed -ri 's/.*swap.*/#&/' /etc/fstab
[root@k8s-master ~]# cat /etc/fstab
#
# /etc/fstab
# Created by anaconda on Thu Aug 22 23:53:48 2024
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
UUID=f724baab-c349-497d-ba1f-da8f619fdf89 / xfs defaults 0 0
UUID=F0B8-EAC5 /boot/efi vfat umask=0077,shortname=winnt 0 0
#UUID=94ca6141-23b0-4eff-ab4f-ae74b1cfe406 swap swap defaults 0 0
# 關閉 swap 後,一定要重啟虛擬機器
[root@k8s-master ~]# reboot
[root@k8s-master ~]# free -m
total used free shared buff/cache available
Mem: 3950 198 3671 8 79 3593
Swap: 0 0 0
- 臨時關閉:
swapoff -a
。
$ sed -ri 's/.*swap.*/#&/' /etc/fstab $ reboot
關閉 selinux
[root@k8s-master ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
# 永久關閉
[root@k8s-master ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
[root@k8s-master ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
- 臨時關閉:
setenforce 0
。
SELinux 是一個為 Linux 提供訪問控制安全策略的安全模組,它透過定義和執行安全策略來限制程序對系統資源的訪問,從而增強系統的安全性。然而,K8s 叢集的某些元件或配置可能與 SELinux 的預設策略不相容,導致安裝或執行過程中出現許可權問題。
- 臨時關閉
# 此命令將 SELinux 設定為寬容模式(permissive mode),在這種模式下,SELinux 會記錄違反策略的行為但不會阻止它們 $ setenforce 0
- 永久關閉
$ sed -i 's/SELINUX=permissive/SELINUX=disabled/' /etc/sysconfig/selinux $ sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config $ reboot
需要注意的是,關閉 SELinux 會降低系統的安全性。因此,在關閉 SELinux 之前,應該仔細評估潛在的安全風險,並確保已經採取了其他適當的安全措施來保護系統。
在 K8s 叢集中,關閉 Swap 和 SELinux 是出於效能和穩定性方面的考慮。
為什麼要關閉 Swap?
效能問題:
Swap 記憶體通常比實體記憶體慢很多。當系統記憶體不足時,Linux 會將部分記憶體內容交換到磁碟上的 Swap 分割槽中,這會導致應用程式的效能顯著下降。在 K8s 叢集中,容器應用對效能有較高要求,頻繁的 Swap 操作會嚴重影響這些應用的執行效率。
關閉 Swap 可以避免這種效能損失,確保容器應用能夠直接從實體記憶體中獲取所需資源,從而提高整體效能。
穩定性問題:
K8s 對容器執行環境的要求比較高,關閉 Swap 可以減少因為記憶體兌換(即記憶體與 Swap 之間的資料交換)引起的異常現象。這有助於確保叢集的穩定性,避免因為記憶體問題導致的容器崩潰或系統不穩定。
資源管理:
K8s 本身對記憶體的管理非常嚴格,它透過資源配額(Resource Quotas)和限制(Limits)來確保容器不會超出其分配的資源範圍。如果啟用 Swap,這些管理機制可能無法有效發揮作用,因為 Swap 允許容器在實體記憶體不足時繼續執行,但效能會大幅下降。
為什麼要關閉 SELinux?
相容性問題:
SELinux 是一種安全增強型的 Linux 核心安全模組,它可以提供強大的訪問控制機制。然而,在某些情況下,SELinux 可能會與 K8s 的某些元件或特性不相容,導致叢集執行不穩定或出現許可權問題。
簡化部署和管理:
關閉 SELinux 可以簡化 K8s 的部署和管理過程。在沒有 SELinux 的情況下,管理員可以更容易地配置和除錯叢集,而無需擔心 SELinux 的安全策略可能會干擾叢集的正常執行。
安全風險:
雖然 SELinux 可以增強系統的安全性,但在某些情況下,它也可能成為安全漏洞的源頭。例如,如果 SELinux 的策略配置不當,可能會允許未授權的訪問或操作。因此,在某些情況下,關閉 SELinux 可能是一種更安全的選擇,特別是當管理員能夠確保透過其他方式(如網路隔離、身份驗證等)來保護系統時。
綜上所述,關閉 Swap 和 SELinux 是 K8s 叢集部署中的常見做法,旨在提高叢集的效能和穩定性,並簡化部署和管理過程。然而,這些決策也需要在安全性和效能之間做出權衡,並根據具體的業務需求和安全策略來確定是否適用。
將橋接的 IPv4 流量傳遞到 iptables 的鏈
[root@k8s-master ~]# cat > /etc/sysctl.d/k8s.conf << EOF
> net.ipv4.ip_forward = 1
> net.bridge.bridge-nf-call-ip6tables = 1
> net.bridge.bridge-nf-call-iptables = 1
> vm.swappiness = 0
> EOF
# 生效配置
[root@k8s-master ~]# sysctl --system
* Applying /usr/lib/sysctl.d/00-system.conf ...
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
kernel.yama.ptrace_scope = 0
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
kernel.kptr_restrict = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.d/k8s.conf ...
net.ipv4.ip_forward = 1
vm.swappiness = 0
* Applying /etc/sysctl.conf ...
$ cat > /etc/sysctl.d/k8s.conf << EOF net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 vm.swappiness = 0 EOF $ sysctl --system
時間同步
[root@k8s-master ~]# yum -y install ntpdate
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
Resolving Dependencies
--> Running transaction check
---> Package ntpdate.x86_64 0:4.2.6p5-29.el7.centos.2 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================================================================================
Package Arch Version Repository Size
=====================================================================================================================================================
Installing:
ntpdate x86_64 4.2.6p5-29.el7.centos.2 base 87 k
Transaction Summary
=====================================================================================================================================================
Install 1 Package
Total download size: 87 k
Installed size: 121 k
Downloading packages:
ntpdate-4.2.6p5-29.el7.centos.2.x86_64.rpm | 87 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : ntpdate-4.2.6p5-29.el7.centos.2.x86_64 1/1
Verifying : ntpdate-4.2.6p5-29.el7.centos.2.x86_64 1/1
Installed:
ntpdate.x86_64 0:4.2.6p5-29.el7.centos.2
Complete!
[root@k8s-master ~]# ntpdate time.windows.com
28 Aug 00:08:27 ntpdate[1077]: adjust time server 52.231.114.183 offset 0.248979 sec
$ yum -y install ntpdate $ ntpdate time.windows.com
Docker 安裝
安裝過程略。
注意,Docker 在預設情況下使用 Vgroup Driver 為 cgroupfs,而 Kubernetes 推薦使用 systemd 來替代 cgroupfs,因此,Docker 安裝好後,需要修改配置檔案 daemon.json,新增以下配置:
"exec-opts": ["native.cgroupdriver=systemd"]
配置 Kubernetes 映象源
[root@k8s-master yum.repos.d]# cat > /etc/yum.repos.d/kubernetes.repo << EOF
> [kubernetes]
> name=Kubernetes
> baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
> enabled=1
> gpgcheck=0
> repo_gpgcheck=0
> gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
> EOF
$ cat > /etc/yum.repos.d/kubernetes.repo << EOF [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=0 repo_gpgcheck=0 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF
安裝 kubeadm、kubelet 和 kubectl
[root@k8s-master yum.repos.d]# yum install -y --setopt=obsoletes=0 kubeadm-1.23.6 kubelet-1.23.6 kubectl-1.23.6
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB 00:00:00
docker-ce-stable | 3.5 kB 00:00:00
extras | 2.9 kB 00:00:00
kubernetes | 1.4 kB 00:00:00
updates | 2.9 kB 00:00:00
kubernetes/primary | 137 kB 00:00:00
kubernetes 1022/1022
Resolving Dependencies
--> Running transaction check
---> Package kubeadm.x86_64 0:1.23.6-0 will be installed
--> Processing Dependency: kubernetes-cni >= 0.8.6 for package: kubeadm-1.23.6-0.x86_64
--> Processing Dependency: cri-tools >= 1.19.0 for package: kubeadm-1.23.6-0.x86_64
---> Package kubectl.x86_64 0:1.23.6-0 will be installed
---> Package kubelet.x86_64 0:1.23.6-0 will be installed
--> Processing Dependency: socat for package: kubelet-1.23.6-0.x86_64
--> Processing Dependency: conntrack for package: kubelet-1.23.6-0.x86_64
--> Running transaction check
---> Package conntrack-tools.x86_64 0:1.4.4-7.el7 will be installed
--> Processing Dependency: libnetfilter_cttimeout.so.1(LIBNETFILTER_CTTIMEOUT_1.1)(64bit) for package: conntrack-tools-1.4.4-7.el7.x86_64
--> Processing Dependency: libnetfilter_cttimeout.so.1(LIBNETFILTER_CTTIMEOUT_1.0)(64bit) for package: conntrack-tools-1.4.4-7.el7.x86_64
--> Processing Dependency: libnetfilter_cthelper.so.0(LIBNETFILTER_CTHELPER_1.0)(64bit) for package: conntrack-tools-1.4.4-7.el7.x86_64
--> Processing Dependency: libnetfilter_queue.so.1()(64bit) for package: conntrack-tools-1.4.4-7.el7.x86_64
--> Processing Dependency: libnetfilter_cttimeout.so.1()(64bit) for package: conntrack-tools-1.4.4-7.el7.x86_64
--> Processing Dependency: libnetfilter_cthelper.so.0()(64bit) for package: conntrack-tools-1.4.4-7.el7.x86_64
---> Package cri-tools.x86_64 0:1.26.0-0 will be installed
---> Package kubernetes-cni.x86_64 0:1.2.0-0 will be installed
---> Package socat.x86_64 0:1.7.3.2-2.el7 will be installed
--> Running transaction check
---> Package libnetfilter_cthelper.x86_64 0:1.0.0-11.el7 will be installed
---> Package libnetfilter_cttimeout.x86_64 0:1.0.0-7.el7 will be installed
---> Package libnetfilter_queue.x86_64 0:1.0.2-2.el7_2 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================================================================================
Package Arch Version Repository Size
=====================================================================================================================================================
Installing:
kubeadm x86_64 1.23.6-0 kubernetes 9.0 M
kubectl x86_64 1.23.6-0 kubernetes 9.5 M
kubelet x86_64 1.23.6-0 kubernetes 21 M
Installing for dependencies:
conntrack-tools x86_64 1.4.4-7.el7 base 187 k
cri-tools x86_64 1.26.0-0 kubernetes 8.6 M
kubernetes-cni x86_64 1.2.0-0 kubernetes 17 M
libnetfilter_cthelper x86_64 1.0.0-11.el7 base 18 k
libnetfilter_cttimeout x86_64 1.0.0-7.el7 base 18 k
libnetfilter_queue x86_64 1.0.2-2.el7_2 base 23 k
socat x86_64 1.7.3.2-2.el7 base 290 k
Transaction Summary
=====================================================================================================================================================
Install 3 Packages (+7 Dependent packages)
Total download size: 65 M
Installed size: 296 M
Downloading packages:
(1/10): conntrack-tools-1.4.4-7.el7.x86_64.rpm | 187 kB 00:00:00
(2/10): 89104c7beafab5f04d6789e5425963fc8f91ba9711c9603f1ad89003cdea4fe4-kubeadm-1.23.6-0.x86_64.rpm | 9.0 MB 00:00:02
(3/10): 3f5ba2b53701ac9102ea7c7ab2ca6616a8cd5966591a77577585fde1c434ef74-cri-tools-1.26.0-0.x86_64.rpm | 8.6 MB 00:00:02
(4/10): 868c4a6ee448d1e8488938812a19a991b5132c81de511cd737d93493b98451cc-kubectl-1.23.6-0.x86_64.rpm | 9.5 MB 00:00:02
(5/10): libnetfilter_cthelper-1.0.0-11.el7.x86_64.rpm | 18 kB 00:00:00
(6/10): libnetfilter_cttimeout-1.0.0-7.el7.x86_64.rpm | 18 kB 00:00:00
(7/10): libnetfilter_queue-1.0.2-2.el7_2.x86_64.rpm | 23 kB 00:00:00
(8/10): socat-1.7.3.2-2.el7.x86_64.rpm | 290 kB 00:00:00
(9/10): 68a98b2ae673eef4a5ddbf1f3c830db0df8fbb888e035aea6054677d88f8a8bc-kubelet-1.23.6-0.x86_64.rpm | 21 MB 00:00:05
(10/10): 0f2a2afd740d476ad77c508847bad1f559afc2425816c1f2ce4432a62dfe0b9d-kubernetes-cni-1.2.0-0.x86_64.rpm | 17 MB 00:00:04
-----------------------------------------------------------------------------------------------------------------------------------------------------
Total 7.3 MB/s | 65 MB 00:00:08
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : kubectl-1.23.6-0.x86_64 1/10
Installing : libnetfilter_cthelper-1.0.0-11.el7.x86_64 2/10
Installing : socat-1.7.3.2-2.el7.x86_64 3/10
Installing : libnetfilter_cttimeout-1.0.0-7.el7.x86_64 4/10
Installing : cri-tools-1.26.0-0.x86_64 5/10
Installing : libnetfilter_queue-1.0.2-2.el7_2.x86_64 6/10
Installing : conntrack-tools-1.4.4-7.el7.x86_64 7/10
Installing : kubernetes-cni-1.2.0-0.x86_64 8/10
Installing : kubelet-1.23.6-0.x86_64 9/10
Installing : kubeadm-1.23.6-0.x86_64 10/10
Verifying : kubeadm-1.23.6-0.x86_64 1/10
Verifying : conntrack-tools-1.4.4-7.el7.x86_64 2/10
Verifying : libnetfilter_queue-1.0.2-2.el7_2.x86_64 3/10
Verifying : cri-tools-1.26.0-0.x86_64 4/10
Verifying : kubernetes-cni-1.2.0-0.x86_64 5/10
Verifying : kubelet-1.23.6-0.x86_64 6/10
Verifying : libnetfilter_cttimeout-1.0.0-7.el7.x86_64 7/10
Verifying : socat-1.7.3.2-2.el7.x86_64 8/10
Verifying : libnetfilter_cthelper-1.0.0-11.el7.x86_64 9/10
Verifying : kubectl-1.23.6-0.x86_64 10/10
Installed:
kubeadm.x86_64 0:1.23.6-0 kubectl.x86_64 0:1.23.6-0 kubelet.x86_64 0:1.23.6-0
Dependency Installed:
conntrack-tools.x86_64 0:1.4.4-7.el7 cri-tools.x86_64 0:1.26.0-0 kubernetes-cni.x86_64 0:1.2.0-0
libnetfilter_cthelper.x86_64 0:1.0.0-11.el7 libnetfilter_cttimeout.x86_64 0:1.0.0-7.el7 libnetfilter_queue.x86_64 0:1.0.2-2.el7_2
socat.x86_64 0:1.7.3.2-2.el7
Complete!
$ yum install -y --setopt=obsoletes=0 kubeadm-1.23.6 kubelet-1.23.6 kubectl-1.23.6
設定 kubelet 開機自啟
[root@k8s-master yum.repos.d]# systemctl enable kubelet
Created symlink from /etc/systemd/system/multi-user.target.wants/kubelet.service to /usr/lib/systemd/system/kubelet.service.
[root@k8s-master yum.repos.d]# systemctl status kubelet
● kubelet.service - kubelet: The Kubernetes Node Agent
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/kubelet.service.d
└─10-kubeadm.conf
Active: inactive (dead)
Docs: https://kubernetes.io/docs/
$ systemctl enable kubelet $ systemctl status kubelet
叢集 Master 節點初始化
# 此操作只在 Master 節點執行
[root@k8s-master yum.repos.d]# kubeadm init \
> --apiserver-advertise-address=192.168.1.120 \
> --image-repository registry.aliyuncs.com/google_containers \
> --kubernetes-version=v1.23.6 \
> --service-cidr=10.96.0.0/12 \
> --pod-network-cidr=10.244.0.0/16
[init] Using Kubernetes version: v1.23.6
[preflight] Running pre-flight checks
[preflight] Pulling images required for setting up a Kubernetes cluster
[preflight] This might take a minute or two, depending on the speed of your internet connection
[preflight] You can also perform this action in beforehand using 'kubeadm config images pull'
[certs] Using certificateDir folder "/etc/kubernetes/pki"
[certs] Generating "ca" certificate and key
[certs] Generating "apiserver" certificate and key
[certs] apiserver serving cert is signed for DNS names [k8s-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.1.120]
[certs] Generating "apiserver-kubelet-client" certificate and key
[certs] Generating "front-proxy-ca" certificate and key
[certs] Generating "front-proxy-client" certificate and key
[certs] Generating "etcd/ca" certificate and key
[certs] Generating "etcd/server" certificate and key
[certs] etcd/server serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.1.120 127.0.0.1 ::1]
[certs] Generating "etcd/peer" certificate and key
[certs] etcd/peer serving cert is signed for DNS names [k8s-master localhost] and IPs [192.168.1.120 127.0.0.1 ::1]
[certs] Generating "etcd/healthcheck-client" certificate and key
[certs] Generating "apiserver-etcd-client" certificate and key
[certs] Generating "sa" key and public key
[kubeconfig] Using kubeconfig folder "/etc/kubernetes"
[kubeconfig] Writing "admin.conf" kubeconfig file
[kubeconfig] Writing "kubelet.conf" kubeconfig file
[kubeconfig] Writing "controller-manager.conf" kubeconfig file
[kubeconfig] Writing "scheduler.conf" kubeconfig file
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Starting the kubelet
[control-plane] Using manifest folder "/etc/kubernetes/manifests"
[control-plane] Creating static Pod manifest for "kube-apiserver"
[control-plane] Creating static Pod manifest for "kube-controller-manager"
[control-plane] Creating static Pod manifest for "kube-scheduler"
[etcd] Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
[apiclient] All control plane components are healthy after 6.504656 seconds
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.23" in namespace kube-system with the configuration for the kubelets in the cluster
NOTE: The "kubelet-config-1.23" naming of the kubelet ConfigMap is deprecated. Once the UnversionedKubeletConfigMap feature gate graduates to Beta the default name will become just "kubelet-config". Kubeadm upgrade will handle this transition transparently.
[upload-certs] Skipping phase. Please see --upload-certs
[mark-control-plane] Marking the node k8s-master as control-plane by adding the labels: [node-role.kubernetes.io/master(deprecated) node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers]
[mark-control-plane] Marking the node k8s-master as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[bootstrap-token] Using token: rczo3l.hgi643ox3vzw4ttr
[bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to get nodes
[bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
[bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace
[kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
[addons] Applied essential addon: CoreDNS
[addons] Applied essential addon: kube-proxy
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.1.120:6443 --token rczo3l.hgi643ox3vzw4ttr \
--discovery-token-ca-cert-hash sha256:714d757f758bbf794c88d48078fcceaca6993a71c32a2e0f131f17ded0099f75
注意結合自己的實際情況,修改對應的引數配置:
$ kubeadm init \ --apiserver-advertise-address=192.168.1.120 \ --image-repository registry.aliyuncs.com/google_containers \ --kubernetes-version=v1.23.6 \ --service-cidr=10.96.0.0/12 \ --pod-network-cidr=10.244.0.0/16
apiserver-advertise-address
:指定 Api Server 地址。image-repository
:映象倉庫地址。kubernetes-version
:Kubernetes 版本。service-cidr
:Service 的網路 IP 地址段。pod-network-cidr
:Pod 的網路 IP 地址段。
當看到Your Kubernetes control-plane has initialized successfully!
提示,說明叢集 Master 節點初始化成功,按照提示,依次執行以下命令:
[root@k8s-master ~]# mkdir -p $HOME/.kube
[root@k8s-master ~]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
[root@k8s-master ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config
Master 節點初始化成功後,可以檢視啟動的 Docker 容器:
[root@k8s-master ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
516411b3e4f9 df7b72818ad2 "kube-controller-man…" About an hour ago Up About an hour k8s_kube-controller-manager_kube-controller-manager-k8s-master_kube-system_cf39bc9bfe4da000c1780f37274acf68_3
2ed3b58d0c11 595f327f224a "kube-scheduler --au…" About an hour ago Up About an hour k8s_kube-scheduler_kube-scheduler-k8s-master_kube-system_ad30b41672979e80f74f72181c1c9762_3
85de5232c506 4c0375452406 "/usr/local/bin/kube…" 2 hours ago Up 2 hours k8s_kube-proxy_kube-proxy-m2nbx_kube-system_199d9d71-dd85-4363-8c46-addd357aac3b_1
9394d7715a75 registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 2 hours ago Up 2 hours k8s_POD_kube-proxy-m2nbx_kube-system_199d9d71-dd85-4363-8c46-addd357aac3b_1
a4c2a7a80eb7 8fa62c12256d "kube-apiserver --ad…" 2 hours ago Up 2 hours k8s_kube-apiserver_kube-apiserver-k8s-master_kube-system_f844c52da54beeb845dab75e338dce7a_1
82c2e3320e5f 25f8c7f3da61 "etcd --advertise-cl…" 2 hours ago Up 2 hours k8s_etcd_etcd-k8s-master_kube-system_2f6b828b40e9edd50c7cb676b0b4bacf_1
84f3a53a6139 registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 2 hours ago Up 2 hours k8s_POD_kube-scheduler-k8s-master_kube-system_ad30b41672979e80f74f72181c1c9762_1
ca132ea49edc registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 2 hours ago Up 2 hours k8s_POD_kube-apiserver-k8s-master_kube-system_f844c52da54beeb845dab75e338dce7a_1
848d64a5403d registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 2 hours ago Up 2 hours k8s_POD_kube-controller-manager-k8s-master_kube-system_cf39bc9bfe4da000c1780f37274acf68_1
435f1caea216 registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 2 hours ago Up 2 hours k8s_POD_etcd-k8s-master_kube-system_2f6b828b40e9edd50c7cb676b0b4bacf_1
叢集 Node 節點 join
在兩個 Node 節點,執行以下命令:
[root@k8s-node1 ~]# kubeadm join 192.168.1.120:6443 --token y4a0gj.5iaxcci7uqkdjcf0 --discovery-token-ca-cert-hash sha256:714d757f758bbf794c88d48078fcceaca6993a71c32a2e0f131f17ded0099f75
[preflight] Running pre-flight checks
[preflight] Reading configuration from the cluster...
[preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform the TLS Bootstrap...
This node has joined the cluster:
* Certificate signing request was sent to apiserver and a response was received.
* The Kubelet was informed of the new secure connection details.
Run 'kubectl get nodes' on the control-plane to see this node join the cluster.
-
--toke
:Master 節點初次 init 時,在 init 成功後,會在最後輸出 Node 節點 join 的命令。在後續操作時,如果沒有 token,可以透過以下方式獲取:# 檢視沒有過期的 token 列表 [root@k8s-master ~]# kubeadm token list # 重新申請 token [root@k8s-master ~]# kubeadm token create y4a0gj.5iaxcci7uqkdjcf0 [root@k8s-master ~]# kubeadm token list TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS y4a0gj.5iaxcci7uqkdjcf0 23h 2024-09-05T15:40:56Z authentication,signing <none> system:bootstrappers:kubeadm:default-node-token
-
--discovery-token-ca-cert-hash
:SSL 證書對應的 Hash 值。同樣的,Master 節點初次 init 時,也會輸出,如果後續沒有了,透過以下命令獲取,再將獲得的值,拼接上 "sha256:",即可獲得 Hash 值為 "sha256:714d757f758bbf794c88d48078fcceaca6993a71c32a2e0f131f17ded0099f75"。$ [root@k8s-master ~]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl sha256 -hex | sed 's/^.* //' 714d757f758bbf794c88d48078fcceaca6993a71c32a2e0f131f17ded0099f75
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt
:從 Kubernetes 的 CA 證書(位於/etc/kubernetes/pki/ca.crt
)中提取公鑰。| openssl rsa -pubin -outform der 2>/dev/null
:將公鑰轉換為 DER 格式。2>/dev/null 用於重定向錯誤輸出,以保持命令列整潔。| openssl sha256 -hex
:對 DER 格式的公鑰進行 SHA-256 雜湊計算,並以十六進位制形式輸出。| sed 's/^.* //'
:使用 sed 工具刪除輸出中的任何前導文字,只留下雜湊值。
如果是 Ubuntu 系統,使用以下命令:
$ openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
此時,可以檢視 Node 節點上啟動的容器:
[root@k8s-node1 yum.repos.d]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6caa9ae8a696 registry.aliyuncs.com/google_containers/kube-proxy "/usr/local/bin/kube…" 11 minutes ago Up 11 minutes k8s_kube-proxy_kube-proxy-6xntx_kube-system_a0a43318-a317-46a8-9a01-a510218b93f7_0
58126cacdd00 registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 11 minutes ago Up 11 minutes k8s_POD_kube-proxy-6xntx_kube-system_a0a43318-a317-46a8-9a01-a510218b93f7_0
同時,在 Master 節點上,檢視叢集的狀態,仍處於 NotReady 的狀態:
[root@k8s-master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master NotReady control-plane,master 6d23h v1.23.6
k8s-node1 NotReady <none> 56s v1.23.6
k8s-node2 NotReady <none> 53s v1.23.6
叢集 Master 節點安裝網路外掛
在 Node 節點 join 之後,執行以下命令檢視 Component 和 Pod 的狀態:
[root@k8s-master ~]# kubectl get componentstatus
Warning: v1 ComponentStatus is deprecated in v1.19+
NAME STATUS MESSAGE ERROR
controller-manager Healthy ok
scheduler Healthy ok
etcd-0 Healthy {"health":"true","reason":""}
[root@k8s-master ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-6d8c4cb4d-7m22g 0/1 Pending 0 7d23h
coredns-6d8c4cb4d-q22dm 0/1 Pending 0 7d23h
etcd-k8s-master 1/1 Running 4 (23h ago) 7d23h
kube-apiserver-k8s-master 1/1 Running 4 (23h ago) 7d23h
kube-controller-manager-k8s-master 1/1 Running 7 (105m ago) 7d23h
kube-proxy-6xntx 1/1 Running 1 (23h ago) 23h
kube-proxy-m2nbx 1/1 Running 5 (105m ago) 7d23h
kube-proxy-vzsp7 1/1 Running 1 (23h ago) 23h
kube-scheduler-k8s-master 1/1 Running 6 (23h ago) 7d23h
可以看到,Component 的狀態都是 Healthy,說明叢集是正常的,但是 "coredns-6d8c4cb4d-7m22g" 和 "coredns-6d8c4cb4d-q22dm" 都是 Pending 狀態,造成這種現象的原因,就是因為網路。因此,下面在 Master 節點上安裝網路外掛。
$ wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
如果無法透過 wget 下載,可以直接訪問 https://github.com/flannel-io/flannel/tree/master/Documentation/kube-flannel.yml,複製檔案內容,然後在 /opt/k8s 路徑下,建立 kube-flannel.yml 檔案,再將複製的內容貼上。
[root@k8s-master k8s]# pwd
/opt/k8s
[root@k8s-master k8s]# ls
kube-flannel.yml
# 需要下載的映象
[root@k8s-master k8s]# grep image kube-flannel.yml
image: docker.io/flannel/flannel-cni-plugin:v1.5.1-flannel2
image: docker.io/flannel/flannel:v0.25.6
image: docker.io/flannel/flannel:v0.25.6
# 將 docker.io 替換為空,否則到官方下載映象,可能很慢
[root@k8s-master k8s]# sed -i 's#docker.io/##g' kube-flannel.yml
[root@k8s-master k8s]# grep image kube-flannel.yml
image: flannel/flannel-cni-plugin:v1.5.1-flannel2
image: flannel/flannel:v0.25.6
image: flannel/flannel:v0.25.6
# 應用網路外掛
[root@k8s-master k8s]# kubectl apply -f kube-flannel.yml
namespace/kube-flannel created
clusterrole.rbac.authorization.k8s.io/flannel created
clusterrolebinding.rbac.authorization.k8s.io/flannel created
serviceaccount/flannel created
configmap/kube-flannel-cfg created
daemonset.apps/kube-flannel-ds created
等待一段時間,再次檢視 Pod 的狀態,可以看到,"coredns-6d8c4cb4d-7m22g" 和 "coredns-6d8c4cb4d-q22dm" 都是 Running 的狀態:
[root@k8s-master ~]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-6d8c4cb4d-7m22g 1/1 Running 0 7d23h
coredns-6d8c4cb4d-q22dm 1/1 Running 0 7d23h
etcd-k8s-master 1/1 Running 4 (23h ago) 7d23h
kube-apiserver-k8s-master 1/1 Running 4 (23h ago) 7d23h
kube-controller-manager-k8s-master 1/1 Running 7 (129m ago) 7d23h
kube-proxy-6xntx 1/1 Running 1 (23h ago) 23h
kube-proxy-m2nbx 1/1 Running 5 (129m ago) 7d23h
kube-proxy-vzsp7 1/1 Running 1 (23h ago) 23h
kube-scheduler-k8s-master 1/1 Running 6 (23h ago) 7d23h
如果需要檢視某個 Pod 的詳細資訊,可以使用以下命令:
$ kubectl describe pod coredns-6d8c4cb4d-7m22g -n kube-system
此處使用的是 Flannel 網路外掛,也可以使用 CNI 網路外掛,訪問 https://calico-v3-25.netlify.app/archive/v3.25/manifests/calico.yaml,複製檔案內容,然後在 /opt/k8s 路徑下,建立 calico.yaml,再將複製的內容貼上。
修改 CALICO_IPV4POOL_CIDR 配置,該配置預設是註釋掉的,如果不是註釋掉的,將其修改為與 Master 節點 init 時的 "--pod-network-cidr=10.244.0.0/16" 保持一致。
將檔案中需要下載的映象前面的 docker.io 替換為空。
應用 CNI 外掛,使用命令
kubectl apply -f calico.yaml
。
檢視叢集狀態
使用以下命令,檢視叢集狀態,當 STATUS 全部為 Ready 時,才可繼續後面的操作(此過程可能需耗費較長時間):
[root@k8s-master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master Ready control-plane,master 7d23h v1.23.6
k8s-node1 Ready <none> 24h v1.23.6
k8s-node2 Ready <none> 24h v1.23.6
如果 Flannel 需檢查網路情況,重新進行如下操作:
kubectl delete -f kube-flannel.yml
---> 再次下載檔案 --->kubectl apply -f kube-flannel.yml
。
測試 Kubenetes 叢集
# 建立部署一個 Nginx 服務
[root@k8s-master ~]# kubectl create deployment nginx --image=nginx
deployment.apps/nginx created
# 暴露容器內的埠
[root@k8s-master ~]# kubectl expose deployment nginx --port=80 --type=NodePort
service/nginx exposed
# 檢視 Pod 以及服務資訊,容器內埠 80,對應宿主機的埠 31173
[root@k8s-master ~]# kubectl get pod,svc
NAME READY STATUS RESTARTS AGE
pod/nginx-85b98978db-j4sjq 1/1 Running 0 10m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 8d
service/nginx NodePort 10.98.189.130 <none> 80:31173/TCP 10m
檢視 Nginx 服務:
[root@k8s-master ~]# curl 192.168.1.120:31173
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
- "curl 192.168.1.121:31173" 和 "curl 192.168.1.122:31173" 具有相同的效果。
頁面訪問 192.168.1.120:31173:
- 訪問 192.168.1.121:31173 和 192.168.1.122:31173 具有相同的效果。
命令列工具 kubectl
kubectl 是使用 Kubernetes API 與 Kubernetes 叢集進行通訊的命令列工具。
kubectl 工具,預設只在 Master 節點上有效,在 Node 節點上執行無效:
[root@k8s-node1 ~]# kubectl get nodes
The connection to the server localhost:8080 was refused - did you specify the right host or port?
其原因是,在 Master 節點上,有使用者認證相關的設定,並且 kubectl 工具呼叫時,知道呼叫的 Api 的伺服器地址(https://192.168.1.120:6443):
[root@k8s-master .kube]# pwd
/root/.kube
[root@k8s-master .kube]# cat config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJME1EZ3lPREUyTVRReE5Gb1hEVE0wTURneU5qRTJNVFF4TkZvd0ZURVRNQkVHQTFVRQpBeE1LY99886776SnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS01rCjlmMWRYY2k2TUc5ZkpBUVN2Y1JqM2QwaWk1b0NockcyNGxUSmJha3c3dzV4TVhmUU9qM21FdUFROVkvYkpacnYKaytSUGVvSVlsdUYzbytPbHdWSktRLzBvbnZVbXM2YTFCMi9MRmVLNTRmUGllcXVmSVZDMElGalhvQVBiRTZOZQphc1lRbjV0SDQ2MDV3TjA3OFNHVzk4L1JuVjlkYTlDenEvb1BTYmNpUTRnbU1UYm0rSzU2eTJ0MWdOM0krUW91ClVHaFlucWZJa0VZTzNsTm1VbWtpOFUzaWNHaXhHWkVRYjA0UVowQ0JEck14MGV6anRWS1hrbVFMWW9zVjlhOFcKM1Bkb3AySXlqdkVCVTZxR001aE9BVlA3QUcrQ1hDSTVCVDBxVm1aeXVzYXVuekVnaTVOcWhKZ1hQZGdMWXNpUQprY2Rzc1lyWkFsRnhoenFTdGhzQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZQNlQ4aE5aTnMrcjUzWm1Cd3Q0UURvOVJIa0ZNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQWg0QWZKTnU1YWxLbVJrSmJCOAppZ2wzZm53YVNkTXZCVUFFaE5JYWt0NytTWGZKdGNnLy9zanpPYlhIQVVDcHgrbnNualhVUW40Uzl1OW9IQlBOCnFUbGxSelBDZ0U4MXRRMnBVekU0T3BGSDQwblRucjYzRWtsbGNoZFU0QzlyMXcwbDJLS296UmJaV3ZCajBZa20KNmh3SlpzVzZyMW9iUjI2VzlFcXpLUXFweWRVcHZFR3lUcDk4YXBsTXFKazNlUS9hYkVOS1k3TW0vNll2K3FicwpCc1dSTVJuMEhzbTZ0dWNlZ21GOFNOZUxvSU5SdExSc1Y4VWZTU0F6WmJTSTVjY1VSTDFycGp2c0NBZUFkWGdECkh4a2l1Ny9IRW5wNmpoM05mRkZKZ0FIL2hvdW52RS9hODk3VmduTHBpcE8xZjBFKzR4YUFMNC9tVWozVm9DRTQKUVRBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.1.120:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJZWpxb29NcVhGS3d3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRBNE1qZ3hOakUwTVRSYUZ3MHlOVEE0TWpneE5qRTBNVFZhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXVVbys0dkhnZmNLeGxmdWMKeHkhj56hfh0ZHd1JCU2F6MVRaMmdKV1dUeEtrTE5XemtET3BjWk5oUkdlVGozaVlvdjAvdWxkZGJzdml2LwpSQ2tjUTZrWGdVaXdGSytNUkdKR3dKbmFCY0QwSFdzc0tqMUh6RjVYMm5kbUFvNXhsTThQcms0TWYyREtnbjBHClRiaG5uc1ZERk9tWG5JSTRucFJFMXA4SFIrQUQvTkdDOXhIbVRkV0szSVZOWERvYXhIZXY3VmoxVHk1TkNUWEwKWmQraEJEa0h1NHRwTzM0bGpuWlU4elBua0ljcHJMeU5wdjNCb2UvUjR1WXZIdkFrUG1qYXRUWHMvaGc5QXVSegpKcDcrODFiR3Voc3A2cVZBbzlwOUJsNHovck1XUk9qR3JxdDNEWnFKU2tVTVpqVWdaZHFyY0kzNHJiTWJySlMwCmtqdUpHd0lEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JUK2svSVRXVGJQcStkMlpnY0xlRUE2UFVSNQpCVEFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBbnNMVzNpaU9XMTBFbEtVVXlaM3NIRkpzeW1oSUxpOVpJdmE2ClRDVmh5S3huZVEyY1daKzRFTWZJT3RJTi92WitMak96WmVYbzMzRDlybUdBOUtSMi9udTJ6b2pmbzZEdnJLL2YKMVVPOGFWNnlHMFBoeFlCT1dXeUhNczFzd1dzNU8yY01PRGR5TU9JcUIzZHJ3eVEzWkZrblgxa3UwZ1NqeVdheApWR2VQN1grSFowZ1RpSUtGWFdaVjdHWCtlSEdQZHBIZVBkR0doMXdGbUJCcTRVOUdoZERoTVBtenNZMkFpMjJrClpZOTFxYmtucGF4blEvNlRBN0lwdkcya0wwT2N6ZFpoQXh0NWZFRWVmTDZ2M1VVM1c4c3lYTnd0M3ROamJlQk4KZTdRSitaQjcwYjdQQi9lSFZQTmlxRThRdVYySzlIQjRUS3ZkdlNJZTZ1VHN6VXJDZ0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBdVVvKzR2SGdmY0t4bGZ1Y3hySUhIOEM0SEtGR3dSQlNhejFUWjJnSldXVHhLa0xOCld6a0RPcGNaTmhSR2VUajNpWW92MC91bGRkYnN2aXYvUkNrY1E2a1hnVWl3RksrTVJHSkd3Sm5hQmNEMEhXc3MKS2oxSHpGNVgybmRtQW81eGxNOFByazRNZjJES2duMEdUYmhubnNWREZPbVhuSUk0bnBSRTFwOEhSK0FEL05HQwo5eEhtVGRXSzNJVk5YRG9heEhldjdWajFUeTVOQ1RYTFpkK2hCRGtIdTR0cE8zNGxqblpVOHpQbmtJY3ByTHlOCnB2M0JvZS9SNHVZdkh2QWtQbWphdFRYcy9oZzlBdVJ6SnA3KzgxYkd1aHNwNnFWQW85cDlCbDR6L3JNV1JPakcKcnF0M0RacUpTa1VNWmpVZ1pkcXJjSTM0cmJNYnJKUzBranVKR3dJREFRQUJBb0lCQVFDTkdONitqeFkyYmpZeApVa05XZzJjdFpPSk8ydms0TjZlcmhpMm5CdkJucEppSmFBbGRPQk1mWU1TUUMreUdqenpnL2R2aC96VkdnUDRTCjZ3b2Q2M2hjaGIwaWRDbXg5dVJIaHRiOS82cW95d0NhRG15NVZhVUJHYTZvN0ZkQUJ4eXpCdUtZQjFNNUJJbngKeUNjdXRBZ2tQVzhSMDdmaU5ML004bmRoUUFTWlU4NlpNTUJyUjB6cS9DNy9PS2lITDJZdjI5eng3ek5TSGUxUQozNkwrWmhzVXlsclYvdnMwWFY4cHBQaCsvVEFVREZkeXVXNlJsQ1lNQXF2U2RxVEp4M2dOK3Rva3R3VWF5NVk1ClVFV0srODMwQjYyNE5lRVJqSHBmOFhVYmJ1UFovcXBnbmxLSjBiRWM4RENvb2szQVBBUEtSMkU0eTBlRHBMWFQKV0xhR05wY2hBb0dCQU96RldFWG5OYWVMY2JtZzFuaXFkQms4anBBOWowUVVkR0lBZkpMMnA5cE1RVnFrVHlMdApCaE9MVEY4RUVHS1dsN0ticDhZZXVyM2gycnlmNldVa2svTTRIMWhFbE9FdGp3aFpWa1hGMENPUzFoSjJRSUlmCm10SFFSUENuZFg0TTdmekIvUmptSE9KWVdWM3BOVjZ3ZE5KOS9PSjghfsdfs3sFJ1VE1xMmpYWTRKQW9HQkFNaFcKa3FSOFZVM0J4Mm9oWHFBQTUxb1ZKbVg3L2p2akhhUXJTRHhQOFNJcVVnVjJaQ3EyWDBRTlRLV0lSVDhhcmsrYQpvaGd2ZytnVWlIcjZDQUdYWmRESTluWEFYbG40aGVyaUYzNVJSMkRVbzhndHpIaDFyNUVad2pEOG1DTlFhMkZaCndidWgreGxPVzRSeU1IY2Jkb1QzUDlFTGdrWHRSU1pRa0pyYlk2Y0RBb0dCQU5VUVZYbzZNTWMvcmF4TXR4TkkKMkVicGZxVUFNSThrRlFNbnl2SjVNZDA0cDhzSWR3cEgzeUx4UkYxd2k4b2NHQkNyRDlReVRQdVlaYjA5N2NxTgptdkhRdkN3ek13SmJmQTRZVHBGbERBTW5IS3JxYk94cndtY3lrd2M0dW5zZTZYNTlsdU8wRjZQN3V4Zk9SNitZCi9OZDZkbm1CdXdWeFIzUk1CdHZJV2VUNUFvR0FMMWhHVDVrU2o4MjcwdGtRQThBeTdKY1MvQWNSamhXZWE2M08KNUhJQUNwTDF6MVNyVjJ6Q0Z0TU55aERxVEgrQnNrNVpBRjQ2VGg2TUlvUDBZR3ZuSS9CYVRubW4wcHRwQ3Bsago4L1pCYUNEWWsvWSszRGp6eE5iUmpjSWtNalJQTERLS0ZrMnhpY2w2MTFJbElnRGJnWkR0QS9vMFQxSkRoVXFFCjRoUDIrUUVDZ1lFQWd2U1owOFRrS2VKM1Z1dkdIeU4wWUk3Umx1Q284ZVVVY3IrOEFvR0MrNjRHbmQ1WFc1eGcKZFViQ1lxN3h2OERjN2MzTkt1RVNKSmg4czYyRllXVjRmQkxGckwrYzRreVpxYnRxdDExN3ZnZklvZU1MNkxTdwpINmc2R3Ria01Fand1eldPQUFlSllsNEptMUUzSDB3eGVBZUlWeldoZ2I5NWF4aFZkWlZlT2VZPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
如果需要在 Node 節點使用 kubectl 工具,需要進行如下配置:
-
複製 Master 節點中 "/etc/kubernetes/admin.conf" 檔案到對應的 Node 節點伺服器的 "/etc/kubernetes" 目錄中:
[root@k8s-master .kube]# scp /etc/kubernetes/admin.conf root@k8s-node1:/etc/kubernetes/ The authenticity of host 'k8s-node1 (192.168.1.121)' can't be established. ECDSA key fingerprint is SHA256:1wcmZ7fQ/AJ9ak1Hu/qURBJMFWuqvu66TbMV8OUD9us. ECDSA key fingerprint is MD5:ce:5e:b8:01:2d:f6:ee:77:87:33:b4:7d:4b:64:a5:d9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'k8s-node1,192.168.1.121' (ECDSA) to the list of known hosts. root@k8s-node1's password: admin.conf 100% 5641 4.7MB/s 00:00
-
在對應的 Node 伺服器上配置環境變數:
[root@k8s-node1 ~]# echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile [root@k8s-node1 ~]# source ~/.bash_profile [root@k8s-node1 ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-master Ready control-plane,master 11d v1.23.6 k8s-node1 Ready <none> 4d23h v1.23.6 k8s-node2 Ready <none> 4d23h v1.23.6
kubectl 工具的常用的命令和功能如下:
-
更多命令檢視官網:https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands
-
資源型別與別名:
資源型別 縮寫別名 clusters
componentstatuses
cs
configmaps
cm
daemonsets
ds
deployments
deploy
endpoints
ep
event
ev
horizontalpodautoscalers
hpa
ingresses
ing
jobs
limitranges
limits
namespaces
ns
networkpolicies
nodes
no
statefulsets
persistentvolumeclaims
pvc
persistentvolumes
pv
pods
po
podsecuritypolicies
psp
podtemplates
replicasets
rs
replicationcontrollers
rc
resourcequotas
quota
cronjob
secrets
serviceaccount
sa
services
svc
storageclasses
thirdpartyresources
-
格式化輸出,例如:
$ kubectl get deploy nginx -o yaml
API 概述
官網:https://kubernetes.io/zh-cn/docs/reference/using-api/(https://kubernetes.io/docs/reference/using-api/deprecation-guide/)
REST API 是 Kubernetes 系統的重要部分,元件之間的所有操作和通訊均由 API Server 處理的 REST API 呼叫,大多數情況下,API 定義和實現都符合標準的 HTTP REST 格式,可以透過 kubectl 命令管理工具或其他命令列工具來執行。
不同的 API 版本代表著不同的穩定性和支援級別,下面是每個級別的摘要:
-
Alpha:
- 版本名稱包含
alpha
,例如:v1alpha1。 - 內建的 Alpha API 版本預設被禁用,且必須在 kube-apiserver 配置中顯式啟用才能使用。
- 軟體可能會有 Bug,啟用某個特性可能會暴露出 Bug。
- 對某個 Alpha API 特性的支援可能會隨時被刪除,恕不另行通知。
- API 可能在以後的軟體版本中以不相容的方式更改,恕不另行通知。
- 由於缺陷風險增加和缺乏長期支援,建議該軟體僅用於短期測試叢集。
- 版本名稱包含
-
Beta:
-
版本名稱包含
beta
,例如:v2beta3。 -
內建的 Beta API 版本預設被禁用,且必須在 kube-apiserver 配置中顯式啟用才能使用(例外情況是 Kubernetes 1.22 之前引入的 Beta 版本的 API,這些 API 預設被啟用)。
-
內建 Beta API 版本從引入到棄用的最長生命週期為 9 個月或 3 個次要版本(以較長者為準),從棄用到移除的最長生命週期為 9 個月或 3 個次要版本(以較長者為準)。
-
軟體被很好的測試過,啟用某個特性被認為是安全的。
-
儘管一些特性會發生細節上的變化,但它們將會被長期支援。
-
在隨後的 Beta 版或 Stable 版中,物件的模式和(或)語義可能以不相容的方式改變。當這種情況發生時,將提供遷移說明。適配後續的 Beta 或 Stable API 版本可能需要編輯或重新建立 API 物件,這可能並不簡單。對於依賴此功能的應用程式,可能需要停機遷移。
-
該版本的軟體不建議生產使用,後續釋出版本可能會有不相容的變動,一旦 Beta API 版本被棄用且不再提供服務,則使用 Beta API 版本的使用者需要轉為使用後續的 Beta 或 Stable API 版本。
-
請嘗試 Beta 版時特性時並提供反饋。特性完成 Beta 階段測試後,就可能不會有太多的變更了。
-
-
Stable:
- 版本名稱如
vX
,其中 X 為整數。 - 特性的 Stable 版本會出現在後續很多版本的釋出軟體中。Stable API 版本仍然適用於 Kubernetes 主要版本範圍內的所有後續釋出,並且 Kubernetes 的主要版本當前沒有移除 Stable API 的修訂計劃。
- 版本名稱如
已棄用 API 的遷移指南:https://kubernetes.io/zh-cn/docs/reference/using-api/deprecation-guide/
原文連結
https://github.com/ACatSmiling/zero-to-zero/blob/main/Operation/kubernetes.md