基於kubeasz部署高可用k8s叢集

1874發表於2023-04-23

  在部署高可用k8s之前,我們先來說一說單master架構和多master架構,以及多master架構中各元件工作邏輯

  k8s單master架構

  提示:這種單master節點的架構,通常只用於測試環境,生產環境絕對不允許;這是因為k8s叢集master的節點是單點,一旦master節點當機,將導致整個叢集不可用;其次單master節點apiServer是效能瓶頸;從上圖我們就可以看到,master節點所有元件和node節點中的kubelet和客戶端kubectl、dashboard都會連線apiserver,同時apiserver還要負責往etcd中更新或讀取資料,對客戶端的請求做認證、准入控制等;很顯然apiserver此時是非常忙碌的,極易成為整個K8S叢集的瓶頸;所以不推薦在生產環境中使用單master架構;

  k8s多master架構

  提示:k8s高可用主要是對master節點元件高可用;其中apiserver高可用的邏輯就是透過啟用多個例項來對apiserver做高可用;apiserver從某種角度講它應該是一個有狀態服務,但為了降低apiserver的複雜性,apiserver將資料儲存到etcd中,從而使得apiserver從有狀態服務變成了一個無狀態服務;所以高可用apiserver我們只需要啟用多個例項透過一個負載均衡器來反向代理多個apiserver,客戶端和node的節點的kubelet透過負載均衡器來連線apiserver即可;對於controller-manager、scheduler這兩個元件來說,高可用的邏輯也是啟用多個例項來實現的,不同與apiserver,這兩個元件由於工作邏輯的獨特性,一個k8s叢集中有且只有一個controller-manager和scheduler在工作,所以啟動多個例項它們必須工作在主備模式,即一個active,多個backup的模式;它們透過分散式鎖的方式實現內部選舉,決定誰來工作,最終搶到分散式鎖(k8s叢集endpoint)的controller-manager、scheduler成為active狀態代表叢集controller-manager、scheduler元件工作,搶到鎖的controller-manager和scheduler會週期性的向apiserver通告自己的心跳資訊,以維護自己active狀態,避免其他controller-manager、scheduler進行搶佔;其他controller-manager、scheduler收到活動的controller-manager、scheduler透過的心跳資訊後自動切換為backup狀態;一旦在規定時間備用controller-manager、scheduler沒有收到活動的controller-manager、scheduler的心跳,此時就會觸發選舉,重複上述過程;

  伺服器規劃

  基礎環境部署

  重新生成machine-id

root@k8s-deploy:~# cat /etc/machine-id
1d2aeda997bd417c838377e601fd8e10
root@k8s-deploy:~# rm -rf /etc/machine-id && dbus-uuidgen --ensure=/etc/machine-id && cat /etc/machine-id
8340419bb01397bf654c596f6443cabf
root@k8s-deploy:~#

  提示:如果你的環境是透過某一個虛擬機器基於快照克隆出來的虛擬機器,很有可能對應machine-id一樣,可以透過上述命令將對應虛擬機器的machine-id修改成不一樣;注意上述命令不能再crt中同時對多個虛擬機器執行,同時對多個虛擬機器執行,生成的machine-id是一樣的;

  核心引數最佳化

root@deploy:~# cat /etc/sysctl.conf
net.ipv4.ip_forward=1
vm.max_map_count=262144
kernel.pid_max=4194303
fs.file-max=1000000
net.ipv4.tcp_max_tw_buckets=6000
net.netfilter.nf_conntrack_max=2097152
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness=0

  系統資源限制

root@deploy:~# tail -10 /etc/security/limits.conf
root    soft    core            unlimited
root    hard    core            unlimited
root    soft    nproc           1000000
root    hard    nproc           1000000
root    soft    nofile          1000000
root    hard    nofile          1000000
root    soft    memlock         32000
root    hard    memlock         32000
root    soft    msgqueue        8192000
root    hard    msgqueue        8192000
root@deploy:~# 

  核心模組掛載

root@deploy:~# cat /etc/modules-load.d/modules.conf
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
ip_vs
ip_vs_lc
ip_vs_lblc
ip_vs_lblcr
ip_vs_rr
ip_vs_wrr
ip_vs_sh
ip_vs_dh
ip_vs_fo
ip_vs_nq
ip_vs_sed
ip_vs_ftp
ip_vs_sh
ip_tables
ip_set
ipt_set
ipt_rpfilter
ipt_REJECT
ipip
xt_set
br_netfilter
nf_conntrack
overlay

root@deploy:~# 

  禁用SWAP

root@deploy:~# free -mh
               total        used        free      shared  buff/cache   available
Mem:           3.8Gi       249Mi       3.3Gi       1.0Mi       244Mi       3.3Gi
Swap:          3.8Gi          0B       3.8Gi
root@deploy:~# swapoff -a
root@deploy:~# sed -i '/swap/s@^@#@' /etc/fstab
root@deploy:~# cat /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
# / was on /dev/ubuntu-vg/ubuntu-lv during curtin installation
/dev/disk/by-id/dm-uuid-LVM-yecQxSAXrKdCNj1XNrQeaacvLAmKdL5SVadOXV0zHSlfkdpBEsaVZ9erw8Ac9gpm / ext4 defaults 0 1
# /boot was on /dev/sda2 during curtin installation
/dev/disk/by-uuid/80fe59b8-eb79-4ce9-a87d-134bc160e976 /boot ext4 defaults 0 1
#/swap.img      none    swap    sw      0       0
root@deploy:~# 

  提示:以上操作建議在每個節點都做一下,然後把所有節點都重啟;

  1、基於keepalived及haproxy部署高可用負載均衡

  下載安裝keepalived和haproxy

root@k8s-ha01:~#apt update && apt install keepalived haproxy -y
root@k8s-ha02:~#apt update && apt install keepalived haproxy -y

  在ha01上建立/etc/keepalived/keepalived.conf

root@k8s-ha01:~# cat /etc/keepalived/keepalived.conf     
! Configuration File for keepalived
 
global_defs {
   notification_email {
     acassen
   }
   notification_email_from Alexandre.Cassen@firewall.loc
   smtp_server 192.168.200.1
   smtp_connect_timeout 30
   router_id LVS_DEVEL
}
 
vrrp_instance VI_1 {
    state MASTER
    interface ens160
    garp_master_delay 10
    smtp_alert
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.0.111 dev ens160 label ens160:0
    }
}
root@k8s-ha01:~# 

  將配置檔案複製給ha02

root@k8s-ha01:~# scp /etc/keepalived/keepalived.conf ha02:/etc/keepalived/keepalived.conf
keepalived.conf                                                  100%  545   896.6KB/s   00:00    
root@k8s-ha01:~#

  在ha02上編輯/etc/keepalived/keepalived.conf

  提示:ha02上主要修改優先順序和宣告角色狀態,如上圖所示;

  在ha02上啟動keepalived並設定開機啟動

root@k8s-ha02:~# systemctl start keepalived  
root@k8s-ha02:~# systemctl enable keepalived
Synchronizing state of keepalived.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable keepalived
root@k8s-ha02:~# 

  驗證:在ha02上檢視對應vip是否存在?

  在ha01啟動keepalived並設定為開機啟動,看看對應vip是否會漂移至ha01呢?

  提示:可以看到在ha01上啟動keepalived以後,對應vip就漂移到ha01上了;這是因為ha01上的keepalived的優先順序要比ha02高;

  測試:停止ha01上的keepalived,看看vip是否會漂移至ha02上呢?

  提示:能夠看到在ha01停止keepalived以後,對應vip會自動漂移至ha02;

  驗證:用叢集其他主機ping vip看看對應是否能夠ping通呢?

root@k8s-node03:~# ping 192.168.0.111
PING 192.168.0.111 (192.168.0.111) 56(84) bytes of data.
64 bytes from 192.168.0.111: icmp_seq=1 ttl=64 time=2.04 ms
64 bytes from 192.168.0.111: icmp_seq=2 ttl=64 time=1.61 ms
^C
--- 192.168.0.111 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1005ms
rtt min/avg/max/mdev = 1.611/1.827/2.043/0.216 ms
root@k8s-node03:~# 

  提示:能夠用叢集其他主機ping vip說明vip是可用的,至此keepalived配置好了;

  配置haproxy

  編輯/etc/haproxy/haproxy.cfg

root@k8s-ha01:~# cat /etc/haproxy/haproxy.cfg
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

listen k8s_apiserver_6443
bind 192.168.0.111:6443
mode tcp
#balance leastconn
server k8s-master01 192.168.0.31:6443 check inter 2000 fall 3 rise 5
server k8s-master02 192.168.0.32:6443 check inter 2000 fall 3 rise 5
server k8s-master03 192.168.0.33:6443 check inter 2000 fall 3 rise 5
root@k8s-ha01:~# 

  把上述配置複製給ha02

root@k8s-ha01:~# scp /etc/haproxy/haproxy.cfg ha02:/etc/haproxy/haproxy.cfg
haproxy.cfg                                                                                                                              100% 1591     1.7MB/s   00:00    
root@k8s-ha01:~# 

  在ha01上啟動haproxy,並將haproxy設定為開機啟動

root@k8s-ha01:~# systemctl start haproxy 
Job for haproxy.service failed because the control process exited with error code.
See "systemctl status haproxy.service" and "journalctl -xeu haproxy.service" for details.
root@k8s-ha01:~# systemctl status haproxy
× haproxy.service - HAProxy Load Balancer
     Loaded: loaded (/lib/systemd/system/haproxy.service; disabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Sat 2023-04-22 12:13:34 UTC; 6s ago
       Docs: man:haproxy(1)
             file:/usr/share/doc/haproxy/configuration.txt.gz
    Process: 1281 ExecStartPre=/usr/sbin/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=0/SUCCESS)
    Process: 1283 ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=1/FAILURE)
   Main PID: 1283 (code=exited, status=1/FAILURE)
        CPU: 141ms

Apr 22 12:13:34 k8s-ha01.ik8s.cc systemd[1]: haproxy.service: Scheduled restart job, restart counter is at 5.
Apr 22 12:13:34 k8s-ha01.ik8s.cc systemd[1]: Stopped HAProxy Load Balancer.
Apr 22 12:13:34 k8s-ha01.ik8s.cc systemd[1]: haproxy.service: Start request repeated too quickly.
Apr 22 12:13:34 k8s-ha01.ik8s.cc systemd[1]: haproxy.service: Failed with result 'exit-code'.
Apr 22 12:13:34 k8s-ha01.ik8s.cc systemd[1]: Failed to start HAProxy Load Balancer.
root@k8s-ha01:~#

  提示:上面報錯是因為預設情況下核心不允許監聽本機不存在的socket,我們需要修改核心引數允許本機監聽不存在的socket;

  修改核心引數

root@k8s-ha01:~# sysctl -a |grep bind
net.ipv4.ip_autobind_reuse = 0
net.ipv4.ip_nonlocal_bind = 0
net.ipv6.bindv6only = 0
net.ipv6.ip_nonlocal_bind = 0
root@k8s-ha01:~# echo "net.ipv4.ip_nonlocal_bind = 1">> /etc/sysctl.conf 
root@k8s-ha01:~# cat /etc/sysctl.conf
net.ipv4.ip_forward=1
vm.max_map_count=262144
kernel.pid_max=4194303
fs.file-max=1000000
net.ipv4.tcp_max_tw_buckets=6000
net.netfilter.nf_conntrack_max=2097152
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness=0
net.ipv4.ip_nonlocal_bind = 1
root@k8s-ha01:~# sysctl -p
net.ipv4.ip_forward = 1
vm.max_map_count = 262144
kernel.pid_max = 4194303
fs.file-max = 1000000
net.ipv4.tcp_max_tw_buckets = 6000
net.netfilter.nf_conntrack_max = 2097152
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness = 0
net.ipv4.ip_nonlocal_bind = 1
root@k8s-ha01:~# 

  驗證:重啟haproxy 看看是能夠正常監聽6443?

root@k8s-ha01:~# systemctl restart haproxy 
root@k8s-ha01:~# systemctl status haproxy 
● haproxy.service - HAProxy Load Balancer
     Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2023-04-22 12:19:50 UTC; 7s ago
       Docs: man:haproxy(1)
             file:/usr/share/doc/haproxy/configuration.txt.gz
    Process: 1441 ExecStartPre=/usr/sbin/haproxy -Ws -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=0/SUCCESS)
   Main PID: 1443 (haproxy)
      Tasks: 5 (limit: 4571)
     Memory: 70.1M
        CPU: 309ms
     CGroup: /system.slice/haproxy.service
             ├─1443 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock
             └─1445 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock

Apr 22 12:19:50 k8s-ha01.ik8s.cc haproxy[1443]: [WARNING]  (1443) : parsing [/etc/haproxy/haproxy.cfg:23] : 'option httplog' not usable with proxy 'k8s
_apiserver_6443' (needs 'mode http'). Falling back to 'option tcplog'.
Apr 22 12:19:50 k8s-ha01.ik8s.cc haproxy[1443]: [NOTICE]   (1443) : New worker #1 (1445) forked
Apr 22 12:19:50 k8s-ha01.ik8s.cc systemd[1]: Started HAProxy Load Balancer.
Apr 22 12:19:50 k8s-ha01.ik8s.cc haproxy[1445]: [WARNING]  (1445) : Server k8s_apiserver_6443/k8s-master01 is DOWN, reason: Layer4 connection problem, 
info: "Connection refused", check duration: 0ms. 2 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Apr 22 12:19:50 k8s-ha01.ik8s.cc haproxy[1445]: [NOTICE]   (1445) : haproxy version is 2.4.18-0ubuntu1.3
Apr 22 12:19:50 k8s-ha01.ik8s.cc haproxy[1445]: [NOTICE]   (1445) : path to executable is /usr/sbin/haproxy
Apr 22 12:19:50 k8s-ha01.ik8s.cc haproxy[1445]: [ALERT]    (1445) : sendmsg()/writev() failed in logger #1: No such file or directory (errno=2)
Apr 22 12:19:50 k8s-ha01.ik8s.cc haproxy[1445]: [WARNING]  (1445) : Server k8s_apiserver_6443/k8s-master02 is DOWN, reason: Layer4 connection problem, 
info: "Connection refused", check duration: 0ms. 1 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Apr 22 12:19:51 k8s-ha01.ik8s.cc haproxy[1445]: [WARNING]  (1445) : Server k8s_apiserver_6443/k8s-master03 is DOWN, reason: Layer4 connection problem, 
info: "Connection refused", check duration: 0ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
Apr 22 12:19:51 k8s-ha01.ik8s.cc haproxy[1445]: [ALERT]    (1445) : proxy 'k8s_apiserver_6443' has no server available!
root@k8s-ha01:~# ss -tnl
State            Recv-Q            Send-Q                       Local Address:Port                       Peer Address:Port           Process           
LISTEN           0                 4096                         192.168.0.111:6443                            0.0.0.0:*                                
LISTEN           0                 4096                         127.0.0.53%lo:53                              0.0.0.0:*                                
LISTEN           0                 128                                0.0.0.0:22                              0.0.0.0:*                                
root@k8s-ha01:~# 

  提示:可用看到修改核心引數以後,重啟haproxy對應vip的6443就在本地監聽了;對應ha02也需要修改核心引數,然後將haproxy啟動並設定為開機啟動;

  重啟ha02上面的haproxy並設定為開機啟動

root@k8s-ha02:~# systemctl restart haproxy
root@k8s-ha02:~# systemctl enable haproxy
Synchronizing state of haproxy.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable haproxy
root@k8s-ha02:~# ss -tnl
State               Recv-Q              Send-Q                           Local Address:Port                            Peer Address:Port              Process              
LISTEN              0                   4096                             127.0.0.53%lo:53                                   0.0.0.0:*                                      
LISTEN              0                   4096                             192.168.0.111:6443                                 0.0.0.0:*                                      
LISTEN              0                   128                                    0.0.0.0:22                                   0.0.0.0:*                                      
root@k8s-ha02:~# 

  提示:現在不管vip在那個節點,對應請求都會根據vip遷移而隨之遷移;至此基於keepalived及haproxy部署高可用負載均衡器就部署完成;

  2、部署https harbor服務提供映象的分發

  在harbor伺服器上配置docker-ce的源

root@harbor:~# apt-get update && apt-get -y install apt-transport-https ca-certificates curl software-properties-common && curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add - && add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable" && apt-get -y update

  在harbor伺服器上安裝docker和docker-compose

root@harbor:~# apt-cache madison docker-ce
 docker-ce | 5:23.0.3-1~ubuntu.22.04~jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:23.0.2-1~ubuntu.22.04~jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:23.0.1-1~ubuntu.22.04~jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:23.0.0-1~ubuntu.22.04~jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.24~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.23~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.22~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.21~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.20~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.19~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.18~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.17~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.16~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.15~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.14~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.13~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
root@harbor:~# apt install -y docker-ce=5:20.10.19~3-0~ubuntu-jammy 

  驗證docker版本

oot@harbor:~# docker version
Client: Docker Engine - Community
 Version:           23.0.3
 API version:       1.41 (downgraded from 1.42)
 Go version:        go1.19.7
 Git commit:        3e7cbfd
 Built:             Tue Apr  4 22:05:48 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          20.10.19
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.7
  Git commit:       c964641
  Built:            Thu Oct 13 16:44:47 2022
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.20
  GitCommit:        2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc:
  Version:          1.1.5
  GitCommit:        v1.1.5-0-gf19387a
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
root@harbor:~# 

  下載docker-compose二進位制檔案

root@harbor:~# wget https://github.com/docker/compose/releases/download/v2.17.2/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose

  給docker-compose二進位制檔案加上可執行許可權,並驗證docker-compose的版本

root@harbor:~# cd /usr/local/bin/
root@harbor:/usr/local/bin# ll
total 53188
drwxr-xr-x  2 root root     4096 Apr 22 07:05 ./
drwxr-xr-x 10 root root     4096 Feb 17 17:19 ../
-rw-r--r--  1 root root 54453847 Apr 22 07:03 docker-compose
root@harbor:/usr/local/bin# chmod a+x docker-compose 
root@harbor:/usr/local/bin# cd
root@harbor:~# docker-compose -v
Docker Compose version v2.17.2
root@harbor:~# 

  下載harbor離線安裝包

root@harbor:~# wget https://github.com/goharbor/harbor/releases/download/v2.8.0/harbor-offline-installer-v2.8.0.tgz

  建立存放harbor離線安裝包目錄,並將離線安裝包解壓於對應目錄

root@harbor:~# ls
harbor-offline-installer-v2.8.0.tgz
root@harbor:~# mkdir /app
root@harbor:~# tar xf harbor-offline-installer-v2.8.0.tgz -C /app/
root@harbor:~# cd /app/
root@harbor:/app# ls
harbor
root@harbor:/app# 

  建立存放證照的目錄certs

root@harbor:/app# ls
harbor
root@harbor:/app# mkdir certs
root@harbor:/app# ls
certs  harbor
root@harbor:/app# 

  上傳證照

root@harbor:/app/certs# ls
9529909_harbor.ik8s.cc_nginx.zip
root@harbor:/app/certs# unzip 9529909_harbor.ik8s.cc_nginx.zip 
Archive:  9529909_harbor.ik8s.cc_nginx.zip
Aliyun Certificate Download
  inflating: 9529909_harbor.ik8s.cc.pem  
  inflating: 9529909_harbor.ik8s.cc.key  
root@harbor:/app/certs# ls
9529909_harbor.ik8s.cc.key  9529909_harbor.ik8s.cc.pem  9529909_harbor.ik8s.cc_nginx.zip
root@harbor:/app/certs# 

  複製harbor配置模板為harbor.yaml

root@harbor:/app/certs# cd ..
root@harbor:/app# ls
certs  harbor
root@harbor:/app# cd harbor/
root@harbor:/app/harbor# ls
LICENSE  common.sh  harbor.v2.8.0.tar.gz  harbor.yml.tmpl  install.sh  prepare
root@harbor:/app/harbor# cp harbor.yml.tmpl harbor.yml
root@harbor:/app/harbor# 

  編輯harbor.yaml檔案

root@harbor:/app/harbor# grep -v "#" harbor.yml | grep -v "^#"

hostname: harbor.ik8s.cc

http:
  port: 80

https:
  port: 443
  certificate: /app/certs/9529909_harbor.ik8s.cc.pem
  private_key: /app/certs/9529909_harbor.ik8s.cc.key



harbor_admin_password: admin123.com

database:
  password: root123
  max_idle_conns: 100
  max_open_conns: 900
  conn_max_lifetime: 5m
  conn_max_idle_time: 0

data_volume: /data



trivy:
  ignore_unfixed: false
  skip_update: false
  offline_scan: false
  security_check: vuln
  insecure: false

jobservice:
  max_job_workers: 10

notification:
  webhook_job_max_retry: 3

log:
  level: info
  local:
    rotate_count: 50
    rotate_size: 200M
    location: /var/log/harbor


_version: 2.8.0




proxy:
  http_proxy:
  https_proxy:
  no_proxy:
  components:
    - core
    - jobservice
    - trivy



upload_purging:
  enabled: true
  age: 168h
  interval: 24h
  dryrun: false

cache:
  enabled: false
  expire_hours: 24
root@harbor:/app/harbor# 

  提示:上述配置檔案修改了hostname,這個主要用來指定證照中站點域名,這個必須和證照籤發時指定的域名一樣;其次是證照和私鑰的路徑以及harbor預設登入密碼;

  根據配置檔案中指定路徑來建立存放harbor的資料目錄

root@harbor:/app/harbor# grep "data_volume" harbor.yml
data_volume: /data
root@harbor:/app/harbor# mkdir /data
root@harbor:/app/harbor# 

  提示:為了避免資料丟失建議這個目錄是掛載網路檔案系統,如nfs;

  執行harbor部署

root@harbor:/app/harbor# ./install.sh --with-notary --with-trivy

[Step 0]: checking if docker is installed ...

Note: docker version: 23.0.3

[Step 1]: checking docker-compose is installed ...

Note: Docker Compose version v2.17.2

[Step 2]: loading Harbor images ...
17d981d1fd47: Loading layer [==================================================>]  37.78MB/37.78MB
31886c65da47: Loading layer [==================================================>]  99.07MB/99.07MB
22b8b3f55675: Loading layer [==================================================>]  3.584kB/3.584kB
e0d07daed386: Loading layer [==================================================>]  3.072kB/3.072kB
192e4941b719: Loading layer [==================================================>]   2.56kB/2.56kB
ea466c659008: Loading layer [==================================================>]  3.072kB/3.072kB
0a9da2a9c15e: Loading layer [==================================================>]  3.584kB/3.584kB
b8d43ab61309: Loading layer [==================================================>]  20.48kB/20.48kB
Loaded image: goharbor/harbor-log:v2.8.0
91ff9ec8c599: Loading layer [==================================================>]  5.762MB/5.762MB
7b3b74d0bc46: Loading layer [==================================================>]  9.137MB/9.137MB
415c34d8de89: Loading layer [==================================================>]  14.47MB/14.47MB
d5f96f4cee68: Loading layer [==================================================>]  29.29MB/29.29MB
2e13bf4c5a45: Loading layer [==================================================>]  22.02kB/22.02kB
3065ef318899: Loading layer [==================================================>]  14.47MB/14.47MB
Loaded image: goharbor/notary-signer-photon:v2.8.0
10b1cdff4db0: Loading layer [==================================================>]  5.767MB/5.767MB
8ca511ff01d7: Loading layer [==================================================>]  4.096kB/4.096kB
c561ee469bc5: Loading layer [==================================================>]  17.57MB/17.57MB
88b0cf5853d2: Loading layer [==================================================>]  3.072kB/3.072kB
f68cc37aeda4: Loading layer [==================================================>]  31.01MB/31.01MB
f96735fc99d1: Loading layer [==================================================>]  49.37MB/49.37MB
Loaded image: goharbor/harbor-registryctl:v2.8.0
117dfa0ad222: Loading layer [==================================================>]   8.91MB/8.91MB
fad9e0a04e3e: Loading layer [==================================================>]  25.92MB/25.92MB
b5e945e047c5: Loading layer [==================================================>]  4.608kB/4.608kB
5b87a66594e3: Loading layer [==================================================>]  26.71MB/26.71MB
Loaded image: goharbor/harbor-exporter:v2.8.0
844a11bc472a: Loading layer [==================================================>]  91.99MB/91.99MB
329ec42b7278: Loading layer [==================================================>]  3.072kB/3.072kB
479889c4a17d: Loading layer [==================================================>]   59.9kB/59.9kB
9d7cf0ba93a4: Loading layer [==================================================>]  61.95kB/61.95kB
Loaded image: goharbor/redis-photon:v2.8.0
d78edf9b37a0: Loading layer [==================================================>]  5.762MB/5.762MB
6b1886c87164: Loading layer [==================================================>]  9.137MB/9.137MB
8e04b3ba3694: Loading layer [==================================================>]  15.88MB/15.88MB
1859c0f529e2: Loading layer [==================================================>]  29.29MB/29.29MB
5a4832cc0365: Loading layer [==================================================>]  22.02kB/22.02kB
32e5f34311d8: Loading layer [==================================================>]  15.88MB/15.88MB
Loaded image: goharbor/notary-server-photon:v2.8.0
157c80352244: Loading layer [==================================================>]  44.11MB/44.11MB
ae9e333084d9: Loading layer [==================================================>]  65.86MB/65.86MB
9172f69ba869: Loading layer [==================================================>]  24.09MB/24.09MB
78d4f0b7a9dd: Loading layer [==================================================>]  65.54kB/65.54kB
66e1120f8426: Loading layer [==================================================>]   2.56kB/2.56kB
d2e29dcfd3b2: Loading layer [==================================================>]  1.536kB/1.536kB
e2862979f5b1: Loading layer [==================================================>]  12.29kB/12.29kB
f060948ced19: Loading layer [==================================================>]  2.621MB/2.621MB
4f1f83dea031: Loading layer [==================================================>]  416.8kB/416.8kB
Loaded image: goharbor/prepare:v2.8.0
b757f0470527: Loading layer [==================================================>]  8.909MB/8.909MB
45f3777da07b: Loading layer [==================================================>]  3.584kB/3.584kB
1ec69429b88c: Loading layer [==================================================>]   2.56kB/2.56kB
54ae653f9340: Loading layer [==================================================>]   47.5MB/47.5MB
2b5374d50351: Loading layer [==================================================>]  48.29MB/48.29MB
Loaded image: goharbor/harbor-jobservice:v2.8.0
138a75d30165: Loading layer [==================================================>]  6.295MB/6.295MB
37678a05d20c: Loading layer [==================================================>]  4.096kB/4.096kB
62ab39a1f583: Loading layer [==================================================>]  3.072kB/3.072kB
dc2c8ea056cc: Loading layer [==================================================>]  191.2MB/191.2MB
eef0034d3cf6: Loading layer [==================================================>]  14.03MB/14.03MB
8ef49e77e2da: Loading layer [==================================================>]    206MB/206MB
Loaded image: goharbor/trivy-adapter-photon:v2.8.0
7b11ded34da7: Loading layer [==================================================>]  5.767MB/5.767MB
db79ebbe62ed: Loading layer [==================================================>]  4.096kB/4.096kB
7008de4e1efa: Loading layer [==================================================>]  3.072kB/3.072kB
78e690f643e2: Loading layer [==================================================>]  17.57MB/17.57MB
c59eb6af140b: Loading layer [==================================================>]  18.36MB/18.36MB
Loaded image: goharbor/registry-photon:v2.8.0
697d673e9002: Loading layer [==================================================>]  91.15MB/91.15MB
73dc6648b3fc: Loading layer [==================================================>]  6.097MB/6.097MB
7c040ff2580b: Loading layer [==================================================>]  1.233MB/1.233MB
Loaded image: goharbor/harbor-portal:v2.8.0
ed7088f4a42d: Loading layer [==================================================>]   8.91MB/8.91MB
5fb2a39a2645: Loading layer [==================================================>]  3.584kB/3.584kB
eed4c9aebbc2: Loading layer [==================================================>]   2.56kB/2.56kB
5a03baf4cc2c: Loading layer [==================================================>]  59.24MB/59.24MB
23c80bc54f04: Loading layer [==================================================>]  5.632kB/5.632kB
f7e397f31506: Loading layer [==================================================>]  115.7kB/115.7kB
78504c142fac: Loading layer [==================================================>]  44.03kB/44.03kB
ec904722ce15: Loading layer [==================================================>]  60.19MB/60.19MB
4746711ff0cc: Loading layer [==================================================>]   2.56kB/2.56kB
Loaded image: goharbor/harbor-core:v2.8.0
6460b77e3fdb: Loading layer [==================================================>]  123.4MB/123.4MB
19620cea1000: Loading layer [==================================================>]  22.57MB/22.57MB
d9674d59d34c: Loading layer [==================================================>]   5.12kB/5.12kB
f3b8b5f2a0b2: Loading layer [==================================================>]  6.144kB/6.144kB
948463f03a69: Loading layer [==================================================>]  3.072kB/3.072kB
674b9b213d01: Loading layer [==================================================>]  2.048kB/2.048kB
77dff9e1e728: Loading layer [==================================================>]   2.56kB/2.56kB
7c74827c6695: Loading layer [==================================================>]   2.56kB/2.56kB
254ef4a11cdc: Loading layer [==================================================>]   2.56kB/2.56kB
23cb6acbaaad: Loading layer [==================================================>]  9.728kB/9.728kB
Loaded image: goharbor/harbor-db:v2.8.0
6ca8f9c9b7ce: Loading layer [==================================================>]  91.15MB/91.15MB
Loaded image: goharbor/nginx-photon:v2.8.0


[Step 3]: preparing environment ...

[Step 4]: preparing harbor configs ...
prepare base dir is set to /app/harbor
Generated configuration file: /config/portal/nginx.conf
Generated configuration file: /config/log/logrotate.conf
Generated configuration file: /config/log/rsyslog_docker.conf
Generated configuration file: /config/nginx/nginx.conf
Generated configuration file: /config/core/env
Generated configuration file: /config/core/app.conf
Generated configuration file: /config/registry/config.yml
Generated configuration file: /config/registryctl/env
Generated configuration file: /config/registryctl/config.yml
Generated configuration file: /config/db/env
Generated configuration file: /config/jobservice/env
Generated configuration file: /config/jobservice/config.yml
Generated and saved secret to file: /data/secret/keys/secretkey
Successfully called func: create_root_cert
Successfully called func: create_root_cert
Successfully called func: create_cert
Copying certs for notary signer
Copying nginx configuration file for notary
Generated configuration file: /config/nginx/conf.d/notary.upstream.conf
Generated configuration file: /config/nginx/conf.d/notary.server.conf
Generated configuration file: /config/notary/server-config.postgres.json
Generated configuration file: /config/notary/server_env
Generated and saved secret to file: /data/secret/keys/defaultalias
Generated configuration file: /config/notary/signer_env
Generated configuration file: /config/notary/signer-config.postgres.json
Generated configuration file: /config/trivy-adapter/env
Generated configuration file: /compose_location/docker-compose.yml
Clean up the input dir


Note: stopping existing Harbor instance ...


[Step 5]: starting Harbor ...
➜ 
    Notary will be deprecated as of Harbor v2.6.0 and start to be removed in v2.8.0 or later.
    You can use cosign for signature instead since Harbor v2.5.0.
    Please see discussion here for more details. https://github.com/goharbor/harbor/discussions/16612
[+] Running 15/15
 ✔ Network harbor_harbor         Created                                                                                                                              0.2s 
 ✔ Network harbor_notary-sig     Created                                                                                                                              0.2s 
 ✔ Network harbor_harbor-notary  Created                                                                                                                              0.1s 
 ✔ Container harbor-log          Started                                                                                                                              5.3s 
 ✔ Container harbor-db           Started                                                                                                                              7.2s 
 ✔ Container redis               Started                                                                                                                              6.4s 
 ✔ Container registry            Started                                                                                                                              6.3s 
 ✔ Container harbor-portal       Started                                                                                                                              6.9s 
 ✔ Container registryctl         Started                                                                                                                              6.4s 
 ✔ Container trivy-adapter       Started                                                                                                                              6.0s 
 ✔ Container harbor-core         Started                                                                                                                              7.4s 
 ✔ Container notary-signer       Started                                                                                                                              7.1s 
 ✔ Container nginx               Started                                                                                                                              8.9s 
 ✔ Container harbor-jobservice   Started                                                                                                                              8.8s 
 ✔ Container notary-server       Started                                                                                                                              7.2s 
✔ ----Harbor has been installed and started successfully.----
root@harbor:/app/harbor# 

  域名解析,將證照籤發時的域名指向harbor伺服器

  驗證:透過windows的瀏覽器訪問harbor.ik8s.cc,看看對應harbor是否能夠正常訪問到?

  使用我配置的密碼登入harbor,看看是否可用正常登入?

  建立專案是否可用正常建立?

  提示:可用看到我們在web網頁上能夠成功建立專案;

  擴充套件:給harbor提供service檔案,實現開機自動啟動

root@harbor:/app/harbor# cat /usr/lib/systemd/system/harbor.service
[Unit]
Description=Harbor
After=docker.service systemd-networkd.service systemd-resolved.service
Requires=docker.service
Documentation=http://github.com/vmware/harbor
 
[Service]
Type=simple
Restart=on-failure
RestartSec=5
ExecStart=/usr/local/bin/docker-compose -f  /app/harbor/docker-compose.yml up 
ExecStop=/usr/local/bin/docker-compose -f /app/harbor/docker-compose.yml down
 
[Install]
WantedBy=multi-user.target
root@harbor:/app/harbor# 

  載入harbor.service重啟harbor並設定harbor開機自啟動

root@harbor:/app/harbor# systemctl 
root@harbor:/app/harbor# systemctl daemon-reload
root@harbor:/app/harbor# systemctl restart harbor
root@harbor:/app/harbor# systemctl enable harbor
Created symlink /etc/systemd/system/multi-user.target.wants/harbor.service → /lib/systemd/system/harbor.service.
root@harbor:/app/harbor# 

  3、測試基於nerdctl可以登入https harbor並能實現進行分發

  nerdctl登入harbor

root@k8s-node02:~# nerdctl login harbor.ik8s.cc
Enter Username: admin
Enter Password: 
WARN[0005] skipping verifying HTTPS certs for "harbor.ik8s.cc" 
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@k8s-node02:~# 

  提示:這裡也需要做域名解析;

  測試從node02本地向harbor上傳映象

root@k8s-node02:~# nerdctl pull nginx
WARN[0000] skipping verifying HTTPS certs for "docker.io" 
docker.io/library/nginx:latest:                                                   resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:63b44e8ddb83d5dd8020327c1f40436e37a6fffd3ef2498a6204df23be6e7e94:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:f2fee5c7194cbbfb9d2711fa5de094c797a42a51aa42b0c8ee8ca31547c872b1: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:6efc10a0510f143a90b69dc564a914574973223e88418d65c1f8809e08dc0a1f:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:75576236abf5959ff23b741ed8c4786e244155b9265db5e6ecda9d8261de529f:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:26c5c85e47da3022f1bdb9a112103646c5c29517d757e95426f16e4bd9533405:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:8c767bdbc9aedd4bbf276c6f28aad18251cceacb768967c5702974ae1eac23cd:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:78e14bb05fd35b58587cd0c5ca2c2eb12b15031633ec30daa21c0ea3d2bb2a15:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:4f3256bdf66bf00bcec08043e67a80981428f0e0de12f963eac3c753b14d101d:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:2019c71d56550b97ce01e0b6ef8e971fec705186f2927d2cb109ac3e18edb0ac:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 41.1s                                                                    total:  54.4 M (1.3 MiB/s)                                       
root@k8s-node02:~# nerdctl images
REPOSITORY    TAG       IMAGE ID        CREATED           PLATFORM       SIZE         BLOB SIZE
nginx         latest    63b44e8ddb83    10 seconds ago    linux/amd64    149.8 MiB    54.4 MiB
<none>        <none>    63b44e8ddb83    10 seconds ago    linux/amd64    149.8 MiB    54.4 MiB
root@k8s-node02:~# nerdctl tag nginx harbor.ik8s.cc/baseimages/nginx:v1
root@k8s-node02:~# nerdctl images
REPOSITORY                         TAG       IMAGE ID        CREATED           PLATFORM       SIZE         BLOB SIZE
nginx                              latest    63b44e8ddb83    51 seconds ago    linux/amd64    149.8 MiB    54.4 MiB
harbor.ik8s.cc/baseimages/nginx    v1        63b44e8ddb83    5 seconds ago     linux/amd64    149.8 MiB    54.4 MiB
<none>                             <none>    63b44e8ddb83    51 seconds ago    linux/amd64    149.8 MiB    54.4 MiB
root@k8s-node02:~# nerdctl push harbor.ik8s.cc/baseimages/nginx:v1
INFO[0000] pushing as a reduced-platform image (application/vnd.docker.distribution.manifest.list.v2+json, sha256:c45a31532f8fcd4db2302631bc1644322aa43c396fabbf3f9e9038ff09688c26) 
WARN[0000] skipping verifying HTTPS certs for "harbor.ik8s.cc" 
index-sha256:c45a31532f8fcd4db2302631bc1644322aa43c396fabbf3f9e9038ff09688c26:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:f2fee5c7194cbbfb9d2711fa5de094c797a42a51aa42b0c8ee8ca31547c872b1: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:6efc10a0510f143a90b69dc564a914574973223e88418d65c1f8809e08dc0a1f:   done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 4.2 s                                                                    total:  9.6 Ki (2.3 KiB/s)                                       
root@k8s-node02:~# 

  驗證:在web網頁上看我們上傳的nginx:v1映象是否在倉庫裡?

  測試從harbor倉庫下載映象到本地

root@k8s-node03:~# nerdctl images
REPOSITORY    TAG    IMAGE ID    CREATED    PLATFORM    SIZE    BLOB SIZE
root@k8s-node03:~# nerdctl login harbor.ik8s.cc
Enter Username: admin
Enter Password: 
WARN[0004] skipping verifying HTTPS certs for "harbor.ik8s.cc" 
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@k8s-node03:~# nerdctl pull harbor.ik8s.cc/baseimages/nginx:v1
WARN[0000] skipping verifying HTTPS certs for "harbor.ik8s.cc" 
harbor.ik8s.cc/baseimages/nginx:v1:                                               resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:c45a31532f8fcd4db2302631bc1644322aa43c396fabbf3f9e9038ff09688c26:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:f2fee5c7194cbbfb9d2711fa5de094c797a42a51aa42b0c8ee8ca31547c872b1: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:6efc10a0510f143a90b69dc564a914574973223e88418d65c1f8809e08dc0a1f:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:75576236abf5959ff23b741ed8c4786e244155b9265db5e6ecda9d8261de529f:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:2019c71d56550b97ce01e0b6ef8e971fec705186f2927d2cb109ac3e18edb0ac:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:26c5c85e47da3022f1bdb9a112103646c5c29517d757e95426f16e4bd9533405:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:8c767bdbc9aedd4bbf276c6f28aad18251cceacb768967c5702974ae1eac23cd:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:4f3256bdf66bf00bcec08043e67a80981428f0e0de12f963eac3c753b14d101d:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:78e14bb05fd35b58587cd0c5ca2c2eb12b15031633ec30daa21c0ea3d2bb2a15:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 7.3 s                                                                    total:  54.4 M (7.4 MiB/s)                                       
root@k8s-node03:~# nerdctl images
REPOSITORY                         TAG       IMAGE ID        CREATED          PLATFORM       SIZE         BLOB SIZE
harbor.ik8s.cc/baseimages/nginx    v1        c45a31532f8f    5 seconds ago    linux/amd64    149.8 MiB    54.4 MiB
<none>                             <none>    c45a31532f8f    5 seconds ago    linux/amd64    149.8 MiB    54.4 MiB
root@k8s-node03:~# 

  透過上述測試,可以看到我們部署的harbor倉庫能夠實現上傳和下載images;至此基於商用公司的免費證照搭建https harbor倉庫就完成了;

  4、基於kubeasz部署高可用kubernetes叢集

  部署節點部署環境初始化

  本次我們使用kubeasz專案來部署二進位制高可用k8s叢集;專案地址:https://github.com/easzlab/kubeasz;該專案使用ansible-playbook實現自動化,提供一件安裝指令碼,也可以分步驟執行安裝各元件;所以部署節點首先要安裝好ansible,其次該專案使用docker下載部署k8s過程中的各種映象以及二進位制,所以部署節點docker也需要安裝好,當然如果你的部署節點沒有安裝docker,它也會自動幫你安裝;

  部署節點配置docker源

root@deploy:~# apt-get update && apt-get -y install apt-transport-https ca-certificates curl software-properties-common && curl -fsSL https://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add - && add-apt-repository "deb [arch=amd64] https://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable" && apt-get -y update

  部署節點安裝ansible、docker

root@deploy:~# apt-cache madison ansible docker-ce
   ansible | 2.10.7+merged+base+2.10.8+dfsg-1 | http://mirrors.aliyun.com/ubuntu jammy/universe amd64 Packages
   ansible | 2.10.7+merged+base+2.10.8+dfsg-1 | http://mirrors.aliyun.com/ubuntu jammy/universe Sources
 docker-ce | 5:23.0.4-1~ubuntu.22.04~jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:23.0.3-1~ubuntu.22.04~jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:23.0.2-1~ubuntu.22.04~jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:23.0.1-1~ubuntu.22.04~jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:23.0.0-1~ubuntu.22.04~jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.24~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.23~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.22~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.21~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.20~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.19~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.18~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.17~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.16~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.15~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.14~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
 docker-ce | 5:20.10.13~3-0~ubuntu-jammy | https://mirrors.aliyun.com/docker-ce/linux/ubuntu jammy/stable amd64 Packages
root@deploy:~# apt install ansible docker-ce -y

  部署節點安裝sshpass命令⽤於同步公鑰到各k8s伺服器

root@deploy:~# apt install sshpass -y

  部署節點生成金鑰對

root@deploy:~# ssh-keygen -t rsa-sha2-512 -b 4096
Generating public/private rsa-sha2-512 key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:uZ7jOnS/r0FNsPRpvvachoFwrUo2X0wbJ2Ve/wm596I root@deploy.ik8s.cc
The key's randomart image is:
+---[RSA 4096]----+
|          o      |
|         . + .o .|
|          ..=+...|
|        ...==oo .|
|        So.=o=o o|
|      . =oo =o o.|
|     . +.=..oo. .|
|      ..o.oo.oo..|
|      .++.o+Eo+. |
+----[SHA256]-----+
root@deploy:~# 

  編寫分發公鑰指令碼

root@k8s-deploy:~# cat pub-key-scp.sh 
#!/bin/bash
#⽬標主機列表
HOSTS="
192.168.0.31
192.168.0.32
192.168.0.33
192.168.0.34
192.168.0.35
192.168.0.36
192.168.0.37
192.168.0.38
192.168.0.39
"
REMOTE_PORT="22"
REMOTE_USER="root"
REMOTE_PASS="admin"
 
for REMOTE_HOST in ${HOSTS};do
        REMOTE_CMD="echo ${REMOTE_HOST} is successfully!"
        #新增目標遠端主機的公鑰
        ssh-keyscan -p "${REMOTE_PORT}" "${REMOTE_HOST}" >> ~/.ssh/known_hosts
        #透過sshpass配置免秘鑰登入、並建立python3軟連線
        sshpass -p "${REMOTE_PASS}" ssh-copy-id "${REMOTE_USER}@${REMOTE_HOST}"
        ssh ${REMOTE_HOST} ln -sv /usr/bin/python3 /usr/bin/python
        echo ${REMOTE_HOST} 免秘鑰配置完成!
done
root@k8s-deploy:~# 

  執行指令碼分發ssh公鑰至master、node、etcd節點實現免金鑰登入

root@deploy:~# sh pub-key-scp.sh

  驗證:在deploy節點,ssh連線k8s叢集任意主機,看看是否能夠正常免密登入?

root@k8s-deploy:~# ssh 192.168.0.33
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-70-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Sat Apr 22 11:45:25 2023 from 192.168.0.232
root@k8s-master03:~# exit
logout
Connection to 192.168.0.33 closed.
root@k8s-deploy:~# 

  提示:能夠正常免密登入對應主機,表示上述指令碼實現免密登入沒有問題;

  下載kubeasz專案安裝指令碼

root@deploy:~# apt install git -y
root@deploy:~# export release=3.5.2
root@deploy:~# wget https://github.com/easzlab/kubeasz/releases/download/${release}/ezdown

  編輯ezdown

  提示:編輯ezdown指令碼主要是定義安裝下載元件的版本,根據自己環境來定製對應版本就好;

  給指令碼新增執行許可權

root@k8s-deploy:~# chmod a+x ezdown 
root@k8s-deploy:~# ll ezdown
-rwxr-xr-x 1 root root 25433 Feb  9 15:11 ezdown*
root@k8s-deploy:~# 

  執行指令碼,下載kubeasz專案及元件

root@deploy:~# ./ezdown -D

  提示:執行ezdown指令碼它會下載一些映象和二進位制工具等,並將下載的二進位制工具和kubeasz專案存放在/etc/kubeasz/目錄中;

root@k8s-deploy:~# ll /etc/kubeasz/
total 140
drwxrwxr-x 13 root root  4096 Apr 22 07:59 ./
drwxr-xr-x 83 root root  4096 Apr 22 11:53 ../
drwxrwxr-x  3 root root  4096 Feb  9 15:14 .github/
-rw-rw-r--  1 root root   301 Feb  9 14:50 .gitignore
-rw-rw-r--  1 root root  5556 Feb  9 14:50 README.md
-rw-rw-r--  1 root root 20304 Feb  9 14:50 ansible.cfg
drwxr-xr-x  3 root root  4096 Apr 22 07:50 bin/
drwxr-xr-x  3 root root  4096 Apr 22 07:59 clusters/
drwxrwxr-x  8 root root  4096 Feb  9 15:14 docs/
drwxr-xr-x  2 root root  4096 Apr 22 07:59 down/
drwxrwxr-x  2 root root  4096 Feb  9 15:14 example/
-rwxrwxr-x  1 root root 26174 Feb  9 14:50 ezctl*
-rwxrwxr-x  1 root root 25433 Feb  9 14:50 ezdown*
drwxrwxr-x 10 root root  4096 Feb  9 15:14 manifests/
drwxrwxr-x  2 root root  4096 Feb  9 15:14 pics/
drwxrwxr-x  2 root root  4096 Apr 22 08:07 playbooks/
drwxrwxr-x 22 root root  4096 Feb  9 15:14 roles/
drwxrwxr-x  2 root root  4096 Feb  9 15:14 tools/
root@k8s-deploy:~# 

  檢視ezctl工具的使用幫助

root@deploy:~# cd /etc/kubeasz/
root@deploy:/etc/kubeasz# ./ezctl --help
Usage: ezctl COMMAND [args]
-------------------------------------------------------------------------------------
Cluster setups:
    list                             to list all of the managed clusters
    checkout    <cluster>            to switch default kubeconfig of the cluster
    new         <cluster>            to start a new k8s deploy with name 'cluster'
    setup       <cluster>  <step>    to setup a cluster, also supporting a step-by-step way
    start       <cluster>            to start all of the k8s services stopped by 'ezctl stop'
    stop        <cluster>            to stop all of the k8s services temporarily
    upgrade     <cluster>            to upgrade the k8s cluster
    destroy     <cluster>            to destroy the k8s cluster
    backup      <cluster>            to backup the cluster state (etcd snapshot)
    restore     <cluster>            to restore the cluster state from backups
    start-aio                        to quickly setup an all-in-one cluster with default settings

Cluster ops:
    add-etcd    <cluster>  <ip>      to add a etcd-node to the etcd cluster
    add-master  <cluster>  <ip>      to add a master node to the k8s cluster
    add-node    <cluster>  <ip>      to add a work node to the k8s cluster
    del-etcd    <cluster>  <ip>      to delete a etcd-node from the etcd cluster
    del-master  <cluster>  <ip>      to delete a master node from the k8s cluster
    del-node    <cluster>  <ip>      to delete a work node from the k8s cluster

Extra operation:
    kca-renew   <cluster>            to force renew CA certs and all the other certs (with caution)
    kcfg-adm    <cluster>  <args>    to manage client kubeconfig of the k8s cluster

Use "ezctl help <command>" for more information about a given command.
root@deploy:/etc/kubeasz# 

  使用ezctl工具生成配置檔案和hosts檔案

root@k8s-deploy:~# cd /etc/kubeasz/
root@k8s-deploy:/etc/kubeasz# ./ezctl new k8s-cluster01
2023-04-22 13:27:51 DEBUG generate custom cluster files in /etc/kubeasz/clusters/k8s-cluster01
2023-04-22 13:27:51 DEBUG set versions
2023-04-22 13:27:51 DEBUG disable registry mirrors
2023-04-22 13:27:51 DEBUG cluster k8s-cluster01: files successfully created.
2023-04-22 13:27:51 INFO next steps 1: to config '/etc/kubeasz/clusters/k8s-cluster01/hosts'
2023-04-22 13:27:51 INFO next steps 2: to config '/etc/kubeasz/clusters/k8s-cluster01/config.yml'
root@k8s-deploy:/etc/kubeasz# 

  編輯ansible hosts配置檔案

root@k8s-deploy:/etc/kubeasz# cat /etc/kubeasz/clusters/k8s-cluster01/hosts
# 'etcd' cluster should have odd member(s) (1,3,5,...)
[etcd]
192.168.0.37
192.168.0.38
192.168.0.39

# master node(s), set unique 'k8s_nodename' for each node
# CAUTION: 'k8s_nodename' must consist of lower case alphanumeric characters, '-' or '.',
# and must start and end with an alphanumeric character
[kube_master]
192.168.0.31 k8s_nodename='192.168.0.31'
192.168.0.32 k8s_nodename='192.168.0.32'
#192.168.0.33 k8s_nodename='192.168.0.33'

# work node(s), set unique 'k8s_nodename' for each node
# CAUTION: 'k8s_nodename' must consist of lower case alphanumeric characters, '-' or '.',
# and must start and end with an alphanumeric character
[kube_node]
192.168.0.34 k8s_nodename='192.168.0.34'
192.168.0.35 k8s_nodename='192.168.0.35'

# [optional] harbor server, a private docker registry
# 'NEW_INSTALL': 'true' to install a harbor server; 'false' to integrate with existed one
[harbor]
#192.168.1.8 NEW_INSTALL=false

# [optional] loadbalance for accessing k8s from outside
[ex_lb]
#192.168.1.6 LB_ROLE=backup EX_APISERVER_VIP=192.168.1.250 EX_APISERVER_PORT=8443
#192.168.1.7 LB_ROLE=master EX_APISERVER_VIP=192.168.1.250 EX_APISERVER_PORT=8443

# [optional] ntp server for the cluster
[chrony]
#192.168.1.1

[all:vars]
# --------- Main Variables ---------------
# Secure port for apiservers
SECURE_PORT="6443"

# Cluster container-runtime supported: docker, containerd
# if k8s version >= 1.24, docker is not supported
CONTAINER_RUNTIME="containerd"

# Network plugins supported: calico, flannel, kube-router, cilium, kube-ovn
CLUSTER_NETWORK="calico"

# Service proxy mode of kube-proxy: 'iptables' or 'ipvs'
PROXY_MODE="ipvs"

# K8S Service CIDR, not overlap with node(host) networking
SERVICE_CIDR="10.100.0.0/16"

# Cluster CIDR (Pod CIDR), not overlap with node(host) networking
CLUSTER_CIDR="10.200.0.0/16"

# NodePort Range
NODE_PORT_RANGE="30000-32767"

# Cluster DNS Domain
CLUSTER_DNS_DOMAIN="cluster.local"

# -------- Additional Variables (don't change the default value right now) ---
# Binaries Directory
bin_dir="/usr/local/bin"

# Deploy Directory (kubeasz workspace)
base_dir="/etc/kubeasz"

# Directory for a specific cluster
cluster_dir="{{ base_dir }}/clusters/k8s-cluster01"

# CA and other components cert/key Directory
ca_dir="/etc/kubernetes/ssl"

# Default 'k8s_nodename' is empty
k8s_nodename=''
root@k8s-deploy:/etc/kubeasz# 

  提示:上述hosts配置檔案主要用來指定etcd節點、master節點、node節點、vip、執行時、網路元件型別、service IP與pod IP範圍等配置資訊。

  編輯cluster config.yml檔案

root@k8s-deploy:/etc/kubeasz# cat /etc/kubeasz/clusters/k8s-cluster01/config.yml 
############################
# prepare
############################
# 可選離線安裝系統軟體包 (offline|online)
INSTALL_SOURCE: "online"

# 可選進行系統安全加固 github.com/dev-sec/ansible-collection-hardening
OS_HARDEN: false


############################
# role:deploy
############################
# default: ca will expire in 100 years
# default: certs issued by the ca will expire in 50 years
CA_EXPIRY: "876000h"
CERT_EXPIRY: "438000h"

# force to recreate CA and other certs, not suggested to set 'true'
CHANGE_CA: false

# kubeconfig 配置引數
CLUSTER_NAME: "cluster1"
CONTEXT_NAME: "context-{{ CLUSTER_NAME }}"

# k8s version
K8S_VER: "1.26.1"

# set unique 'k8s_nodename' for each node, if not set(default:'') ip add will be used
# CAUTION: 'k8s_nodename' must consist of lower case alphanumeric characters, '-' or '.',
# and must start and end with an alphanumeric character (e.g. 'example.com'),
# regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'
K8S_NODENAME: "{%- if k8s_nodename != '' -%} \
                    {{ k8s_nodename|replace('_', '-')|lower }} \
               {%- else -%} \
                    {{ inventory_hostname }} \
               {%- endif -%}"

############################
# role:etcd
############################
# 設定不同的wal目錄,可以避免磁碟io競爭,提高效能
ETCD_DATA_DIR: "/var/lib/etcd"
ETCD_WAL_DIR: ""


############################
# role:runtime [containerd,docker]
############################
# ------------------------------------------- containerd
# [.]啟用容器倉庫映象
ENABLE_MIRROR_REGISTRY: true

# [containerd]基礎容器映象
SANDBOX_IMAGE: "harbor.ik8s.cc/baseimages/pause:3.9"

# [containerd]容器持久化儲存目錄
CONTAINERD_STORAGE_DIR: "/var/lib/containerd"

# ------------------------------------------- docker
# [docker]容器儲存目錄
DOCKER_STORAGE_DIR: "/var/lib/docker"

# [docker]開啟Restful API
ENABLE_REMOTE_API: false

# [docker]信任的HTTP倉庫
INSECURE_REG: '["http://easzlab.io.local:5000"]'


############################
# role:kube-master
############################
# k8s 叢集 master 節點證照配置,可以新增多個ip和域名(比如增加公網ip和域名)
MASTER_CERT_HOSTS:
  - "192.168.0.111"
  - "kubeapi.ik8s.cc"
  #- "www.test.com"

# node 節點上 pod 網段掩碼長度(決定每個節點最多能分配的pod ip地址)
# 如果flannel 使用 --kube-subnet-mgr 引數,那麼它將讀取該設定為每個節點分配pod網段
# https://github.com/coreos/flannel/issues/847
NODE_CIDR_LEN: 24


############################
# role:kube-node
############################
# Kubelet 根目錄
KUBELET_ROOT_DIR: "/var/lib/kubelet"

# node節點最大pod 數
MAX_PODS: 200

# 配置為kube元件(kubelet,kube-proxy,dockerd等)預留的資源量
# 數值設定詳見templates/kubelet-config.yaml.j2
KUBE_RESERVED_ENABLED: "no"

# k8s 官方不建議草率開啟 system-reserved, 除非你基於長期監控,瞭解系統的資源佔用狀況;
# 並且隨著系統執行時間,需要適當增加資源預留,數值設定詳見templates/kubelet-config.yaml.j2
# 系統預留設定基於 4c/8g 虛機,最小化安裝系統服務,如果使用高效能物理機可以適當增加預留
# 另外,叢集安裝時候apiserver等資源佔用會短時較大,建議至少預留1g記憶體
SYS_RESERVED_ENABLED: "no"


############################
# role:network [flannel,calico,cilium,kube-ovn,kube-router]
############################
# ------------------------------------------- flannel
# [flannel]設定flannel 後端"host-gw","vxlan"等
FLANNEL_BACKEND: "vxlan"
DIRECT_ROUTING: false

# [flannel] 
flannel_ver: "v0.19.2"

# ------------------------------------------- calico
# [calico] IPIP隧道模式可選項有: [Always, CrossSubnet, Never],跨子網可以配置為Always與CrossSubnet(公有云建議使用always比較省事,其他的話需要修改各自公有云的網路配置,具體可以參考各個公有云說明)
# 其次CrossSubnet為隧道+BGP路由混合模式可以提升網路效能,同子網配置為Never即可.
CALICO_IPV4POOL_IPIP: "Always"

# [calico]設定 calico-node使用的host IP,bgp鄰居透過該地址建立,可手工指定也可以自動發現
IP_AUTODETECTION_METHOD: "can-reach={{ groups['kube_master'][0] }}"

# [calico]設定calico 網路 backend: brid, vxlan, none
CALICO_NETWORKING_BACKEND: "brid"

# [calico]設定calico 是否使用route reflectors
# 如果叢集規模超過50個節點,建議啟用該特性
CALICO_RR_ENABLED: false

# CALICO_RR_NODES 配置route reflectors的節點,如果未設定預設使用叢集master節點 
# CALICO_RR_NODES: ["192.168.1.1", "192.168.1.2"]
CALICO_RR_NODES: []

# [calico]更新支援calico 版本: ["3.19", "3.23"]
calico_ver: "v3.24.5"

# [calico]calico 主版本
calico_ver_main: "{{ calico_ver.split('.')[0] }}.{{ calico_ver.split('.')[1] }}"

# ------------------------------------------- cilium
# [cilium]映象版本
cilium_ver: "1.12.4"
cilium_connectivity_check: true
cilium_hubble_enabled: false
cilium_hubble_ui_enabled: false

# ------------------------------------------- kube-ovn
# [kube-ovn]選擇 OVN DB and OVN Control Plane 節點,預設為第一個master節點
OVN_DB_NODE: "{{ groups['kube_master'][0] }}"

# [kube-ovn]離線映象tar包
kube_ovn_ver: "v1.5.3"

# ------------------------------------------- kube-router
# [kube-router]公有云上存在限制,一般需要始終開啟 ipinip;自有環境可以設定為 "subnet"
OVERLAY_TYPE: "full"

# [kube-router]NetworkPolicy 支援開關
FIREWALL_ENABLE: true

# [kube-router]kube-router 映象版本
kube_router_ver: "v0.3.1"
busybox_ver: "1.28.4"


############################
# role:cluster-addon
############################
# coredns 自動安裝
dns_install: "no"
corednsVer: "1.9.3"
ENABLE_LOCAL_DNS_CACHE: false
dnsNodeCacheVer: "1.22.13"
# 設定 local dns cache 地址
LOCAL_DNS_CACHE: "169.254.20.10"

# metric server 自動安裝
metricsserver_install: "no"
metricsVer: "v0.5.2"

# dashboard 自動安裝
dashboard_install: "no"
dashboardVer: "v2.7.0"
dashboardMetricsScraperVer: "v1.0.8"

# prometheus 自動安裝
prom_install: "no"
prom_namespace: "monitor"
prom_chart_ver: "39.11.0"

# nfs-provisioner 自動安裝
nfs_provisioner_install: "no"
nfs_provisioner_namespace: "kube-system"
nfs_provisioner_ver: "v4.0.2"
nfs_storage_class: "managed-nfs-storage"
nfs_server: "192.168.1.10"
nfs_path: "/data/nfs"

# network-check 自動安裝
network_check_enabled: false 
network_check_schedule: "*/5 * * * *"

############################
# role:harbor
############################
# harbor version,完整版本號
HARBOR_VER: "v2.6.3"
HARBOR_DOMAIN: "harbor.easzlab.io.local"
HARBOR_PATH: /var/data
HARBOR_TLS_PORT: 8443
HARBOR_REGISTRY: "{{ HARBOR_DOMAIN }}:{{ HARBOR_TLS_PORT }}"

# if set 'false', you need to put certs named harbor.pem and harbor-key.pem in directory 'down'
HARBOR_SELF_SIGNED_CERT: true

# install extra component
HARBOR_WITH_NOTARY: false
HARBOR_WITH_TRIVY: false
HARBOR_WITH_CHARTMUSEUM: true
root@k8s-deploy:/etc/kubeasz# 

  提示:上述配置檔案主要定義了CA和證照的過期時長、kubeconfig配置引數、k8s叢集版本、etcd資料存放目錄、執行時引數、masster證照名稱、node節點pod網段子網掩碼長度、kubelet根目錄、node節點最大pod數量、網路外掛相關引數配置以及叢集外掛安裝相關配置;

  提示:這裡需要注意一點,雖然我們沒有自動安裝coredns,但是這兩個變數需要設定下,如果ENABLE_LOCAL_DNS_CACHE的值是true,下面的LOCAL_DNS_CACHE就寫成對應coredns服務的IP地址;如果ENABLE_LOCAL_DNS_CACHE的值是false,後面的LOCAL_DNS_CACHE是誰的IP地址就無所謂了;

  編輯系統基礎初始化主機配置

  提示:註釋掉上述ex_lb和chrony表示這兩個主機我們主機定義,不需要透過kubeasz來幫我們初始化;即系統初始化,只針對master、node、etcd這三類節點來做;

  準備CA和基礎環境初始化

root@deploy:/etc/kubeasz# ./ezctl setup k8s-cluster01 01

  提示:執行上述命令,反饋failed都是0,表示指定節點的初始化環境準備就緒,接下來我們就可以進行第二步部署etcd節點;

  部署etcd叢集

root@deploy:/etc/kubeasz# ./ezctl setup k8s-cluster01 02

  提示:這裡報錯說不能/usr/bin/python沒有找到,導致不能獲取到/etc/kubeasz/clusters/k8s-cluster01/ssl/etcd-csr.json資訊;

  解決辦法,在部署節點上將/usr/bin/python3軟連線至/usr/bin/python;

root@deploy:/etc/kubeasz# ln -sv /usr/bin/python3 /usr/bin/python
'/usr/bin/python' -> '/usr/bin/python3'
root@deploy:/etc/kubeasz# 

  再次執行上述部署步驟

  驗證etcd叢集是否正常?

root@k8s-etcd01:~# export NODE_IPS="192.168.0.37 192.168.0.38 192.168.0.39"   
root@k8s-etcd01:~# for ip in ${NODE_IPS}; do ETCDCTL_API=3 /usr/local/bin/etcdctl --endpoints=https://${ip}:2379 --cacert=/etc/kubernetes/ssl/ca.pem --cert=/etc/kubernetes/ssl/etcd.pem --key=/etc/kubernetes/ssl/etcd-key.pem endpoint health; done
https://192.168.0.37:2379 is healthy: successfully committed proposal: took = 32.64189ms
https://192.168.0.38:2379 is healthy: successfully committed proposal: took = 30.249623ms
https://192.168.0.39:2379 is healthy: successfully committed proposal: took = 32.747586ms
root@k8s-etcd01:~# 

  提示:能夠看到上面的健康狀態成功,表示etcd叢集服務正常;

  部署容器執行時containerd

  驗證基礎容器映象

root@deploy:/etc/kubeasz# grep SANDBOX_IMAGE ./clusters/* -R
./clusters/k8s-cluster01/config.yml:SANDBOX_IMAGE: "harbor.ik8s.cc/baseimages/pause:3.9"
root@deploy:/etc/kubeasz# 

  下載基礎映象到本地,然後更換標籤,上傳至harbor之上

root@deploy:/etc/kubeasz# docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9
3.9: Pulling from google_containers/pause
61fec91190a0: Already exists 
Digest: sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097
Status: Downloaded newer image for registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9
registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9
root@deploy:/etc/kubeasz# docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.9 harbor.ik8s.cc/baseimages/pause:3.9
root@deploy:/etc/kubeasz# docker login harbor.ik8s.cc
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@deploy:/etc/kubeasz# docker push harbor.ik8s.cc/baseimages/pause:3.9
The push refers to repository [harbor.ik8s.cc/baseimages/pause]
e3e5579ddd43: Pushed 
3.9: digest: sha256:0fc1f3b764be56f7c881a69cbd553ae25a2b5523c6901fbacb8270307c29d0c4 size: 526
root@deploy:/etc/kubeasz# 

  配置harbor映象倉庫域名解析-公司有DNS伺服器進⾏域名解析

  提示:編輯/etc/kubeasz/roles/containerd/tasks/main.yml檔案在block配置段裡面任意找個地方將其上述任務加上即可;

  編輯/etc/kubeasz/roles/containerd/templates/config.toml.j2⾃定義containerd配置⽂件模板;

  提示:這個引數在ubuntu2204上一定要改成true;否者會出現k8spod不斷重啟的現象;一般和kubelet保持一致;

  提示:這裡可以根據自己的環境來配置相應的映象加速地址;

  私有https/http映象倉庫配置下載認證

  提示:如果你的映象倉庫是一個私有(不是公開的倉庫,即下載映象需要使用者名稱和密碼的倉庫)https/http倉庫,新增上述配置containerd在下載對應倉庫中的映象,會拿這裡配置的使用者名稱密碼去下載映象;

  配置nerdctl客戶端

   提示:編輯/etc/kubeasz/roles/containerd/tasks/main.yml檔案加上nerdctl配置相關任務;

  在部署節點準備nerdctl工具二進位制檔案和依賴檔案、配置檔案

root@k8s-deploy:/etc/kubeasz/bin/containerd-bin# ll
total 184572
drwxr-xr-x 2 root root     4096 Jan 26 01:51 ./
drwxr-xr-x 3 root root     4096 Apr 22 13:17 ../
-rwxr-xr-x 1 root root 51529720 Dec 19 16:53 containerd*
-rwxr-xr-x 1 root root  7254016 Dec 19 16:53 containerd-shim*
-rwxr-xr-x 1 root root  9359360 Dec 19 16:53 containerd-shim-runc-v1*
-rwxr-xr-x 1 root root  9375744 Dec 19 16:53 containerd-shim-runc-v2*
-rwxr-xr-x 1 root root 22735256 Dec 19 16:53 containerd-stress*
-rwxr-xr-x 1 root root 52586151 Dec 14 07:20 crictl*
-rwxr-xr-x 1 root root 26712216 Dec 19 16:53 ctr*
-rwxr-xr-x 1 root root  9431456 Aug 25  2022 runc*
root@k8s-deploy:/etc/kubeasz/bin/containerd-bin# tar xf /root/nerdctl-1.3.0-linux-amd64.tar.gz -C .
root@k8s-deploy:/etc/kubeasz/bin/containerd-bin# ll
total 208940
drwxr-xr-x 2 root root     4096 Apr 22 14:00 ./
drwxr-xr-x 3 root root     4096 Apr 22 13:17 ../
-rwxr-xr-x 1 root root 51529720 Dec 19 16:53 containerd*
-rwxr-xr-x 1 root root    21622 Apr  5 12:21 containerd-rootless-setuptool.sh*
-rwxr-xr-x 1 root root     7032 Apr  5 12:21 containerd-rootless.sh*
-rwxr-xr-x 1 root root  7254016 Dec 19 16:53 containerd-shim*
-rwxr-xr-x 1 root root  9359360 Dec 19 16:53 containerd-shim-runc-v1*
-rwxr-xr-x 1 root root  9375744 Dec 19 16:53 containerd-shim-runc-v2*
-rwxr-xr-x 1 root root 22735256 Dec 19 16:53 containerd-stress*
-rwxr-xr-x 1 root root 52586151 Dec 14 07:20 crictl*
-rwxr-xr-x 1 root root 26712216 Dec 19 16:53 ctr*
-rwxr-xr-x 1 root root 24920064 Apr  5 12:22 nerdctl*
-rwxr-xr-x 1 root root  9431456 Aug 25  2022 runc*
root@k8s-deploy:/etc/kubeasz/bin/containerd-bin# cat /etc/kubeasz/roles/containerd/templates/nerdctl.toml.j2 
namespace = "k8s.io"
debug = false
debug_full = false
insecure_registry = true
root@k8s-deploy:/etc/kubeasz/bin/containerd-bin# 

  提示:準備好nerdctl相關檔案以後,對應就可以執行部署容器執行時containerd的任務;

  執⾏部署容器執行時containerd

root@deploy:/etc/kubeasz# ./ezctl setup k8s-cluster01 03

  驗證:在node節點或master節點驗證containerd的版本資訊,以及nerdctl的版本資訊

  提示:在master節點或node節點能夠檢視到containerd和nerdctl的版本資訊,說明容器執行時containerd部署完成;

  測試:在master節點使用nerdctl 下載映象,看看是否可以正常下載?

root@k8s-master01:~# nerdctl pull ubuntu:22.04
WARN[0000] skipping verifying HTTPS certs for "docker.io" 
docker.io/library/ubuntu:22.04:                                                   resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:67211c14fa74f070d27cc59d69a7fa9aeff8e28ea118ef3babc295a0428a6d21:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:7a57c69fe1e9d5b97c5fe649849e79f2cfc3bf11d10bbd5218b4eb61716aebe6: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:08d22c0ceb150ddeb2237c5fa3129c0183f3cc6f5eeb2e7aa4016da3ad02140a:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:2ab09b027e7f3a0c2e8bb1944ac46de38cebab7145f0bd6effebfe5492c818b6:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 28.4s                                                                    total:  28.2 M (1015.6 KiB/s)                                    
root@k8s-master01:~# nerdctl images
REPOSITORY    TAG       IMAGE ID        CREATED          PLATFORM       SIZE        BLOB SIZE
ubuntu        22.04     67211c14fa74    6 seconds ago    linux/amd64    83.4 MiB    28.2 MiB
<none>        <none>    67211c14fa74    6 seconds ago    linux/amd64    83.4 MiB    28.2 MiB
root@k8s-master01:~# 

  測試:在master節點登入harbor倉庫

root@k8s-master01:~# nerdctl login harbor.ik8s.cc
Enter Username: admin
Enter Password: 
WARN[0005] skipping verifying HTTPS certs for "harbor.ik8s.cc" 
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@k8s-master01:~# 

  測試:在master節點上向harbor上傳映象是否正常呢?

root@k8s-master01:~# nerdctl pull ubuntu:22.04
WARN[0000] skipping verifying HTTPS certs for "docker.io" 
docker.io/library/ubuntu:22.04:                                                   resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:67211c14fa74f070d27cc59d69a7fa9aeff8e28ea118ef3babc295a0428a6d21:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:7a57c69fe1e9d5b97c5fe649849e79f2cfc3bf11d10bbd5218b4eb61716aebe6: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:08d22c0ceb150ddeb2237c5fa3129c0183f3cc6f5eeb2e7aa4016da3ad02140a:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:2ab09b027e7f3a0c2e8bb1944ac46de38cebab7145f0bd6effebfe5492c818b6:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 22.3s                                                                    total:  28.2 M (1.3 MiB/s)                                       
root@k8s-master01:~# nerdctl login harbor.ik8s.cc
WARN[0000] skipping verifying HTTPS certs for "harbor.ik8s.cc" 
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@k8s-master01:~# nerdctl tag ubuntu:22.04 harbor.ik8s.cc/baseimages/ubuntu:22.04
root@k8s-master01:~# nerdctl push harbor.ik8s.cc/baseimages/ubuntu:22.04
INFO[0000] pushing as a reduced-platform image (application/vnd.oci.image.index.v1+json, sha256:730821bd93846fe61e18dd16cb476ef8d11489bab10a894e8acc7eb0405cc68e) 
WARN[0000] skipping verifying HTTPS certs for "harbor.ik8s.cc" 
index-sha256:730821bd93846fe61e18dd16cb476ef8d11489bab10a894e8acc7eb0405cc68e:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:7a57c69fe1e9d5b97c5fe649849e79f2cfc3bf11d10bbd5218b4eb61716aebe6: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:08d22c0ceb150ddeb2237c5fa3129c0183f3cc6f5eeb2e7aa4016da3ad02140a:   done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 0.5 s                                                                    total:  2.9 Ki (5.9 KiB/s)                                       
root@k8s-master01:~# 

  測試:在node節點上登入harbor,下載剛才上傳的ubuntu:22.04映象,看看是否可以正常下載?

root@k8s-node01:~# nerdctl images
REPOSITORY    TAG    IMAGE ID    CREATED    PLATFORM    SIZE    BLOB SIZE
root@k8s-node01:~# nerdctl login harbor.ik8s.cc
WARN[0000] skipping verifying HTTPS certs for "harbor.ik8s.cc" 
WARNING: Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
root@k8s-node01:~# nerdctl pull harbor.ik8s.cc/baseimages/ubuntu:22.04
WARN[0000] skipping verifying HTTPS certs for "harbor.ik8s.cc" 
harbor.ik8s.cc/baseimages/ubuntu:22.04:                                           resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:730821bd93846fe61e18dd16cb476ef8d11489bab10a894e8acc7eb0405cc68e:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:7a57c69fe1e9d5b97c5fe649849e79f2cfc3bf11d10bbd5218b4eb61716aebe6: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:08d22c0ceb150ddeb2237c5fa3129c0183f3cc6f5eeb2e7aa4016da3ad02140a:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:2ab09b027e7f3a0c2e8bb1944ac46de38cebab7145f0bd6effebfe5492c818b6:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 4.7 s                                                                    total:  28.2 M (6.0 MiB/s)                                       
root@k8s-node01:~# nerdctl images
REPOSITORY                          TAG       IMAGE ID        CREATED          PLATFORM       SIZE        BLOB SIZE
harbor.ik8s.cc/baseimages/ubuntu    22.04     730821bd9384    5 seconds ago    linux/amd64    83.4 MiB    28.2 MiB
<none>                              <none>    730821bd9384    5 seconds ago    linux/amd64    83.4 MiB    28.2 MiB
root@k8s-node01:~#

  提示:能夠在master或node節點上正常使用nerdctl上傳映象到harbor,從harbor下載映象到本地,說明我們部署的容器執行時containerd就沒有問題了;接下就可以部署k8s master節點;

  部署k8s master節點

root@deploy:/etc/kubeasz# cat roles/kube-master/tasks/main.yml
- name: 下載 kube_master 二進位制
  copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
  with_items:
  - kube-apiserver
  - kube-controller-manager
  - kube-scheduler
  - kubectl
  tags: upgrade_k8s

- name: 分發controller/scheduler kubeconfig配置檔案
  copy: src={{ cluster_dir }}/{{ item }} dest=/etc/kubernetes/{{ item }}
  with_items:
  - kube-controller-manager.kubeconfig
  - kube-scheduler.kubeconfig
  tags: force_change_certs 

- name: 建立 kubernetes 證照籤名請求
  template: src=kubernetes-csr.json.j2 dest={{ cluster_dir }}/ssl/kubernetes-csr.json
  tags: change_cert, force_change_certs
  connection: local

- name: 建立 kubernetes 證照和私鑰
  shell: "cd {{ cluster_dir }}/ssl && {{ base_dir }}/bin/cfssl gencert \
        -ca=ca.pem \
        -ca-key=ca-key.pem \
        -config=ca-config.json \
        -profile=kubernetes kubernetes-csr.json | {{ base_dir }}/bin/cfssljson -bare kubernetes"
  tags: change_cert, force_change_certs
  connection: local

# 建立aggregator proxy相關證照
- name: 建立 aggregator proxy證照籤名請求
  template: src=aggregator-proxy-csr.json.j2 dest={{ cluster_dir }}/ssl/aggregator-proxy-csr.json
  connection: local
  tags: force_change_certs 

- name: 建立 aggregator-proxy證照和私鑰
  shell: "cd {{ cluster_dir }}/ssl && {{ base_dir }}/bin/cfssl gencert \
        -ca=ca.pem \
        -ca-key=ca-key.pem \
        -config=ca-config.json \
        -profile=kubernetes aggregator-proxy-csr.json | {{ base_dir }}/bin/cfssljson -bare aggregator-proxy"
  connection: local
  tags: force_change_certs 

- name: 分發 kubernetes證照
  copy: src={{ cluster_dir }}/ssl/{{ item }} dest={{ ca_dir }}/{{ item }}
  with_items:
  - ca.pem
  - ca-key.pem
  - kubernetes.pem
  - kubernetes-key.pem
  - aggregator-proxy.pem
  - aggregator-proxy-key.pem
  tags: change_cert, force_change_certs

- name: 替換 kubeconfig 的 apiserver 地址
  lineinfile:
    dest: "{{ item }}"
    regexp: "^    server"
    line: "    server: https://127.0.0.1:{{ SECURE_PORT }}"
  with_items:
  - "/etc/kubernetes/kube-controller-manager.kubeconfig"
  - "/etc/kubernetes/kube-scheduler.kubeconfig"
  tags: force_change_certs 

- name: 建立 master 服務的 systemd unit 檔案
  template: src={{ item }}.j2 dest=/etc/systemd/system/{{ item }}
  with_items:
  - kube-apiserver.service
  - kube-controller-manager.service
  - kube-scheduler.service
  tags: restart_master, upgrade_k8s

- name: enable master 服務
  shell: systemctl enable kube-apiserver kube-controller-manager kube-scheduler
  ignore_errors: true

- name: 啟動 master 服務
  shell: "systemctl daemon-reload && systemctl restart kube-apiserver && \
        systemctl restart kube-controller-manager && systemctl restart kube-scheduler"
  tags: upgrade_k8s, restart_master, force_change_certs

# 輪詢等待kube-apiserver啟動完成
- name: 輪詢等待kube-apiserver啟動
  shell: "systemctl is-active kube-apiserver.service"
  register: api_status
  until: '"active" in api_status.stdout'
  retries: 10
  delay: 3
  tags: upgrade_k8s, restart_master, force_change_certs

# 輪詢等待kube-controller-manager啟動完成
- name: 輪詢等待kube-controller-manager啟動
  shell: "systemctl is-active kube-controller-manager.service"
  register: cm_status
  until: '"active" in cm_status.stdout'
  retries: 8
  delay: 3
  tags: upgrade_k8s, restart_master, force_change_certs

# 輪詢等待kube-scheduler啟動完成
- name: 輪詢等待kube-scheduler啟動
  shell: "systemctl is-active kube-scheduler.service"
  register: sch_status
  until: '"active" in sch_status.stdout'
  retries: 8
  delay: 3
  tags: upgrade_k8s, restart_master, force_change_certs

- block:
    - name: 複製kubectl.kubeconfig
      shell: 'cd {{ cluster_dir }} && cp -f kubectl.kubeconfig {{ K8S_NODENAME }}-kubectl.kubeconfig'
      tags: upgrade_k8s, restart_master, force_change_certs

    - name: 替換 kubeconfig 的 apiserver 地址
      lineinfile:
        dest: "{{ cluster_dir }}/{{ K8S_NODENAME }}-kubectl.kubeconfig"
        regexp: "^    server"
        line: "    server: https://{{ inventory_hostname }}:{{ SECURE_PORT }}"
      tags: upgrade_k8s, restart_master, force_change_certs

    - name: 輪詢等待master服務啟動完成
      command: "{{ base_dir }}/bin/kubectl --kubeconfig={{ cluster_dir }}/{{ K8S_NODENAME }}-kubectl.kubeconfig get node"
      register: result
      until:    result.rc == 0
      retries:  5
      delay: 6
      tags: upgrade_k8s, restart_master, force_change_certs

    - name: 獲取user:kubernetes是否已經繫結對應角色
      shell: "{{ base_dir }}/bin/kubectl get clusterrolebindings|grep kubernetes-crb || echo 'notfound'"
      register: crb_info
      run_once: true

    - name: 建立user:kubernetes角色繫結
      command: "{{ base_dir }}/bin/kubectl create clusterrolebinding kubernetes-crb --clusterrole=system:kubelet-api-admin --user=kubernetes"
      run_once: true
      when: "'notfound' in crb_info.stdout"
  connection: local
root@deploy:/etc/kubeasz# 

  提示:上述kubeasz專案,部署master節點的任務,主要做了下載master節點所需的二進位制元件,分發配置檔案,證照金鑰等檔案、service檔案,最後啟動服務;如果我們需要自定義任務,可以修改上述檔案來實現;

  執行部署master節點

root@deploy:/etc/kubeasz# ./ezctl setup k8s-cluster01 04

  在部署節點驗證master節點是否可用獲取到node資訊?

root@k8s-deploy:/etc/kubeasz# kubectl get nodes 
NAME           STATUS                     ROLES    AGE    VERSION
192.168.0.31   Ready,SchedulingDisabled   master   2m6s   v1.26.1
192.168.0.32   Ready,SchedulingDisabled   master   2m6s   v1.26.1
root@k8s-deploy:/etc/kubeasz# 

  提示:能夠使用kubectl命令獲取到節點資訊,表示master部署成功;

  部署k8s node節點

root@deploy:/etc/kubeasz# cat roles/kube-node/tasks/main.yml
- name: 建立kube_node 相關目錄
  file: name={{ item }} state=directory
  with_items:
  - /var/lib/kubelet
  - /var/lib/kube-proxy

- name: 下載 kubelet,kube-proxy 二進位制和基礎 cni plugins
  copy: src={{ base_dir }}/bin/{{ item }} dest={{ bin_dir }}/{{ item }} mode=0755
  with_items:
  - kubectl
  - kubelet
  - kube-proxy
  - bridge
  - host-local
  - loopback
  tags: upgrade_k8s

- name: 新增 kubectl 自動補全
  lineinfile:
    dest: ~/.bashrc
    state: present
    regexp: 'kubectl completion'
    line: 'source <(kubectl completion bash) # generated by kubeasz'

##----------kubelet 配置部分--------------
# 建立 kubelet 相關證照及 kubelet.kubeconfig
- import_tasks: create-kubelet-kubeconfig.yml
  tags: force_change_certs

- name: 準備 cni配置檔案
  template: src=cni-default.conf.j2 dest=/etc/cni/net.d/10-default.conf

- name: 建立kubelet的配置檔案
  template: src=kubelet-config.yaml.j2 dest=/var/lib/kubelet/config.yaml
  tags: upgrade_k8s, restart_node

- name: 建立kubelet的systemd unit檔案
  template: src=kubelet.service.j2 dest=/etc/systemd/system/kubelet.service
  tags: upgrade_k8s, restart_node

- name: 開機啟用kubelet 服務
  shell: systemctl enable kubelet
  ignore_errors: true

- name: 開啟kubelet 服務
  shell: systemctl daemon-reload && systemctl restart kubelet
  tags: upgrade_k8s, restart_node, force_change_certs

##-------kube-proxy部分----------------
- name: 分發 kube-proxy.kubeconfig配置檔案
  copy: src={{ cluster_dir }}/kube-proxy.kubeconfig dest=/etc/kubernetes/kube-proxy.kubeconfig
  tags: force_change_certs

- name: 替換 kube-proxy.kubeconfig 的 apiserver 地址
  lineinfile:
    dest: /etc/kubernetes/kube-proxy.kubeconfig
    regexp: "^    server"
    line: "    server: {{ KUBE_APISERVER }}"
  tags: force_change_certs

- name: 建立kube-proxy 配置
  template: src=kube-proxy-config.yaml.j2 dest=/var/lib/kube-proxy/kube-proxy-config.yaml
  tags: reload-kube-proxy, restart_node, upgrade_k8s

- name: 建立kube-proxy 服務檔案
  template: src=kube-proxy.service.j2 dest=/etc/systemd/system/kube-proxy.service
  tags: reload-kube-proxy, restart_node, upgrade_k8s

- name: 開機啟用kube-proxy 服務
  shell: systemctl enable kube-proxy
  ignore_errors: true

- name: 開啟kube-proxy 服務
  shell: systemctl daemon-reload && systemctl restart kube-proxy
  tags: reload-kube-proxy, upgrade_k8s, restart_node, force_change_certs

# 設定k8s_nodename 在/etc/hosts 地址解析
- name: 設定k8s_nodename 在/etc/hosts 地址解析
  lineinfile:
    dest: /etc/hosts
    state: present
    regexp: "{{ K8S_NODENAME }}"
    line: "{{ inventory_hostname }}    {{ K8S_NODENAME }}"
  delegate_to: "{{ item }}"
  with_items: "{{ groups.kube_master }}"
  when: "inventory_hostname != K8S_NODENAME"


# 輪詢等待kube-proxy啟動完成
- name: 輪詢等待kube-proxy啟動
  shell: "systemctl is-active kube-proxy.service"
  register: kubeproxy_status
  until: '"active" in kubeproxy_status.stdout'
  retries: 4
  delay: 2
  tags: reload-kube-proxy, upgrade_k8s, restart_node, force_change_certs

# 輪詢等待kubelet啟動完成
- name: 輪詢等待kubelet啟動
  shell: "systemctl is-active kubelet.service"
  register: kubelet_status
  until: '"active" in kubelet_status.stdout'
  retries: 4
  delay: 2
  tags: reload-kube-proxy, upgrade_k8s, restart_node, force_change_certs

- name: 輪詢等待node達到Ready狀態
  shell: "{{ base_dir }}/bin/kubectl get node {{ K8S_NODENAME }}|awk 'NR>1{print $2}'"
  register: node_status
  until: node_status.stdout == "Ready" or node_status.stdout == "Ready,SchedulingDisabled"
  retries: 8 
  delay: 8
  tags: upgrade_k8s, restart_node, force_change_certs
  connection: local

- block:
  - name: Setting worker role name
    shell: "{{ base_dir }}/bin/kubectl label node {{ K8S_NODENAME }} kubernetes.io/role=node --overwrite"

  - name: Setting master role name
    shell: "{{ base_dir }}/bin/kubectl label node {{ K8S_NODENAME }} kubernetes.io/role=master --overwrite"
    when: "inventory_hostname in groups['kube_master']"

  - name: Making master nodes SchedulingDisabled
    shell: "{{ base_dir }}/bin/kubectl cordon {{ K8S_NODENAME }} "
    when: "inventory_hostname not in groups['kube_node']"
  ignore_errors: true
  connection: local
root@deploy:/etc/kubeasz# 

  提示:上述是部署node節點任務,主要做了分發二進位制檔案,配置檔案,配置kubelet、kubeproxy,啟動服務;

root@deploy:/etc/kubeasz# cat roles/kube-lb/tasks/main.yml 
- name: prepare some dirs
  file: name={{ item }} state=directory
  with_items:
  - "/etc/kube-lb/sbin"
  - "/etc/kube-lb/logs"
  - "/etc/kube-lb/conf"

- name: 下載二進位制檔案kube-lb(nginx)
  copy: src={{ base_dir }}/bin/nginx dest=/etc/kube-lb/sbin/kube-lb mode=0755

- name: 建立kube-lb的配置檔案
  template: src=kube-lb.conf.j2 dest=/etc/kube-lb/conf/kube-lb.conf
  tags: restart_kube-lb

- name: 建立kube-lb的systemd unit檔案
  template: src=kube-lb.service.j2 dest=/etc/systemd/system/kube-lb.service
  tags: restart_kube-lb

- name: 開機啟用kube-lb服務
  shell: systemctl enable kube-lb
  ignore_errors: true

- name: 開啟kube-lb服務
  shell: systemctl daemon-reload && systemctl restart kube-lb
  ignore_errors: true
  tags: restart_kube-lb

- name: 以輪詢的方式等待kube-lb服務啟動
  shell: "systemctl is-active kube-lb.service"
  register: svc_status
  until: '"active" in svc_status.stdout'
  retries: 3
  delay: 3
  tags: restart_kube-lb
root@deploy:/etc/kubeasz# 

  提示:這裡說一下kubeasz部署master和node節點時,都會執行kube-lb這個role;這個role就是一個nginx,主要作用是反向代理master apiserver,即訪問本地127.0.0.1:6443,對應訪問會被反向代理至後端多個master apiserver,即便是在master本地也會代理;這樣做的主要原因是分擔外部負載均衡器的壓力同時實現多master高可用;

  如master上的kube-lb的配置檔案

  執行部署node節點

root@deploy:/etc/kubeasz# ./ezctl setup k8s-cluster01 05

  驗證:在部署節點獲取node資訊,看看是否能夠正常獲取到?

root@k8s-deploy:/etc/kubeasz# kubectl get nodes
NAME           STATUS                     ROLES    AGE     VERSION
192.168.0.31   Ready,SchedulingDisabled   master   5m34s   v1.26.1
192.168.0.32   Ready,SchedulingDisabled   master   5m34s   v1.26.1
192.168.0.34   Ready                      node     49s     v1.26.1
192.168.0.35   Ready                      node     49s     v1.26.1
root@k8s-deploy:/etc/kubeasz# 

  提示:能夠透過kubectl獲取到node資訊,就表示對應master和node部署完成,至少master節點和node節點該有的元件都正常工作;至此k8s叢集master節點和node節點的部署就完成了,接下部署calico網路外掛;

  部署網路元件calico

  部署calico元件配置

  提示:我們可以根據自己的環境修改calico部署配置;

  檢視calico所需映象

  驗證部署節點本地映象

root@deploy:/etc/kubeasz# docker images |grep calico
easzlab.io.local:5000/calico/kube-controllers               v3.24.5   38b76de417d5   5 months ago    71.4MB
calico/kube-controllers                                     v3.24.5   38b76de417d5   5 months ago    71.4MB
calico/cni                                                  v3.24.5   628dd7088041   5 months ago    198MB
easzlab.io.local:5000/calico/cni                            v3.24.5   628dd7088041   5 months ago    198MB
calico/node                                                 v3.24.5   54637cb36d4a   5 months ago    226MB
easzlab.io.local:5000/calico/node                           v3.24.5   54637cb36d4a   5 months ago    226MB
root@deploy:/etc/kubeasz# 

  修改calico映象標籤為本地harbor地址

root@deploy:/etc/kubeasz# docker tag calico/kube-controllers:v3.24.5 harbor.ik8s.cc/baseimages/calico-kube-controllers:v3.24.5
root@deploy:/etc/kubeasz# docker tag calico/cni:v3.24.5 harbor.ik8s.cc/baseimages/calico-cni:v3.24.5
root@deploy:/etc/kubeasz# docker tag calico/node:v3.24.5 harbor.ik8s.cc/baseimages/calico-node:v3.24.5
root@deploy:/etc/kubeasz# docker images |grep harbor.ik8s.cc
harbor.ik8s.cc/baseimages/calico-kube-controllers           v3.24.5   38b76de417d5   5 months ago    71.4MB
harbor.ik8s.cc/baseimages/calico-cni                        v3.24.5   628dd7088041   5 months ago    198MB
harbor.ik8s.cc/baseimages/calico-node                       v3.24.5   54637cb36d4a   5 months ago    226MB
harbor.ik8s.cc/baseimages/puase                             3.9       e6f181688397   6 months ago    744kB
root@deploy:/etc/kubeasz# 

  上傳calico所需映象至本地harbor倉庫

root@deploy:/etc/kubeasz# docker images |grep harbor.ik8s.cc                                          
harbor.ik8s.cc/baseimages/calico-kube-controllers           v3.24.5   38b76de417d5   5 months ago    71.4MB
harbor.ik8s.cc/baseimages/calico-cni                        v3.24.5   628dd7088041   5 months ago    198MB
harbor.ik8s.cc/baseimages/calico-node                       v3.24.5   54637cb36d4a   5 months ago    226MB
harbor.ik8s.cc/baseimages/puase                             3.9       e6f181688397   6 months ago    744kB
root@deploy:/etc/kubeasz# docker push harbor.ik8s.cc/baseimages/calico-kube-controllers:v3.24.5
The push refers to repository [harbor.ik8s.cc/baseimages/calico-kube-controllers]
94bdfb9b7124: Pushed 
24a4eecd61fd: Pushed 
09319038a809: Pushed 
f7e577921f19: Pushed 
9cab0912bb98: Pushed 
a52e3f04dc8c: Pushed 
b8bf2f4e1d07: Pushed 
ef82d1e1aaa1: Pushed 
e8c4822d8639: Pushed 
ed550b71315d: Pushed 
3264ea6a9ecb: Pushed 
v3.24.5: digest: sha256:b28b1820f9bce61688482d812be9bbd1a4b44aafcfa8150d0844a756767b0be1 size: 2613
root@deploy:/etc/kubeasz# docker push harbor.ik8s.cc/baseimages/calico-cni:v3.24.5                       
The push refers to repository [harbor.ik8s.cc/baseimages/calico-cni]
5f70bf18a086: Pushed 
b3a0b0d29ccf: Pushed 
a6b1c279d580: Pushed 
67f6c44f5f9e: Pushed 
af18e28a0eb7: Pushed 
aa6df39249bf: Pushed 
f8bda2d7bb4b: Pushed 
7b09b9696e30: Pushed 
deda2ebd5e37: Pushed 
v3.24.5: digest: sha256:6d29e8402585431e5044ebddc70f19fe9c8a12d1f3651b12b7cd55407cbdebca size: 2196
root@deploy:/etc/kubeasz# docker push harbor.ik8s.cc/baseimages/calico-node:v3.24.5
The push refers to repository [harbor.ik8s.cc/baseimages/calico-node]
6ab78488a973: Pushed 
928dad078487: Pushed 
v3.24.5: digest: sha256:5c614b62b13d6a45826ea3ff72022be6aef7637198f8c1c83c2d2d547206a4a0 size: 737
root@deploy:/etc/kubeasz# 

  提示:這樣做的目的可以有效提高去外網下載calico映象的時間;

  驗證:在harborweb頁面檢視對應映象是否上傳至harbor倉庫?

  修改配置yaml檔案中的映象地址為本地harbor倉庫地址

root@deploy:/etc/kubeasz# grep "image:" roles/calico/templates/calico-v3.24.yaml.j2
          image: harbor.ik8s.cc/baseimages/calico-cni:v3.24.5
          image: harbor.ik8s.cc/baseimages/calico-node:v3.24.5
          image: harbor.ik8s.cc/baseimages/calico-node:v3.24.5
          image: harbor.ik8s.cc/baseimages/calico-kube-controllers:v3.24.5
root@deploy:/etc/kubeasz# 

  執行部署calico網路外掛

root@deploy:/etc/kubeasz# ./ezctl setup k8s-cluster01 06

  驗證:calico pod是否正常執行?

root@k8s-deploy:/etc/kubeasz# kubectl get pods -A
NAMESPACE     NAME                                       READY   STATUS    RESTARTS   AGE
kube-system   calico-kube-controllers-5456dd947c-pwl2n   1/1     Running   0          80s
kube-system   calico-node-79gvr                          1/1     Running   0          80s
kube-system   calico-node-rvbj5                          1/1     Running   0          80s
kube-system   calico-node-x2dvv                          1/1     Running   0          80s
kube-system   calico-node-xc9sg                          1/1     Running   0          80s
root@k8s-deploy:/etc/kubeasz# 

  master上驗證calico

root@k8s-master01:~# calicoctl node status
Calico process is running.

IPv4 BGP status
+--------------+-------------------+-------+----------+-------------+
| PEER ADDRESS |     PEER TYPE     | STATE |  SINCE   |    INFO     |
+--------------+-------------------+-------+----------+-------------+
| 192.168.0.32 | node-to-node mesh | up    | 14:25:35 | Established |
| 192.168.0.34 | node-to-node mesh | up    | 14:25:35 | Established |
| 192.168.0.35 | node-to-node mesh | up    | 14:25:34 | Established |
+--------------+-------------------+-------+----------+-------------+

IPv6 BGP status
No IPv6 peers found.

root@k8s-master01:~# 

  node節點上驗證calico

root@k8s-node02:~# calicoctl node status
Calico process is running.

IPv4 BGP status
+--------------+-------------------+-------+----------+-------------+
| PEER ADDRESS |     PEER TYPE     | STATE |  SINCE   |    INFO     |
+--------------+-------------------+-------+----------+-------------+
| 192.168.0.31 | node-to-node mesh | up    | 14:25:33 | Established |
| 192.168.0.32 | node-to-node mesh | up    | 14:25:33 | Established |
| 192.168.0.34 | node-to-node mesh | up    | 14:25:33 | Established |
+--------------+-------------------+-------+----------+-------------+

IPv6 BGP status
No IPv6 peers found.

root@k8s-node02:~# 

  提示:能夠在master節點和node節點透過calicoctl 命令查詢到其他節點資訊,說明calico外掛就部署好了;

  驗證pod通訊

  複製部署節點上/root/.kube/config檔案至master節點

root@k8s-deploy:/etc/kubeasz# scp /root/.kube/config 192.168.0.31:/root/.kube/
config                                                                                                               100% 6196     3.8MB/s   00:00    
root@k8s-deploy:/etc/kubeasz# 

  提示:這一步不是必須的,如果你要在master節點使用kubectl命令來管理叢集,就把配置檔案複製過去;

  修改/root/.kube/config檔案中apiserver地址為外部負載均衡地址

  測試kubectl命令是否正常可用?

  提示:如果能夠正常執行kubectl命令,說明外部負載均衡器沒有問題;

  建立測試pod

root@k8s-master01:~# kubectl run test --image=alpine sleep 36000
pod/test created
root@k8s-master01:~# kubectl run test1 --image=alpine sleep 36000 
pod/test1 created
root@k8s-master01:~# kubectl run test2 --image=alpine sleep 36000 
pod/test2 created
root@k8s-master01:~#

  檢視pod IP網路地址

root@k8s-master01:~# kubectl  get pods -o wide
NAME    READY   STATUS    RESTARTS   AGE   IP               NODE           NOMINATED NODE   READINESS GATES
test    1/1     Running   0          63s   10.200.209.1     192.168.0.35   <none>           <none>
test1   1/1     Running   0          58s   10.200.209.2     192.168.0.35   <none>           <none>
test2   1/1     Running   0          47s   10.200.211.129   192.168.0.34   <none>           <none>
root@k8s-master01:~# 

  進入任意測試pod,ping其他兩個pod,看看是否能夠正常ping通?是否可以正常訪問網際網路?

  提示:可以看到pod和pod之間可以正常跨主機通訊,也可以正常訪問到外網,這裡需要注意,現在叢集還沒有部署coredns,所以這裡直接ping www.baidu.com是無法正常解析的;

  叢集節點伸縮管理

  新增node節點

root@k8s-deploy:/etc/kubeasz# ./ezctl add-node k8s-cluster01 192.168.0.36

  提示:刪除node節點使用 ezctl del-node k8s-cluster01 <ip>;

  驗證節點資訊

root@k8s-deploy:/etc/kubeasz# kubectl get node
NAME           STATUS                     ROLES    AGE   VERSION
192.168.0.31   Ready,SchedulingDisabled   master   26m   v1.26.1
192.168.0.32   Ready,SchedulingDisabled   master   26m   v1.26.1
192.168.0.34   Ready                      node     21m   v1.26.1
192.168.0.35   Ready                      node     21m   v1.26.1
192.168.0.36   Ready                      node     63s   v1.26.1
root@k8s-deploy:/etc/kubeasz# 

  新增master節點

root@deploy:/etc/kubeasz# ./ezctl add-master k8s-cluster01 192.168.0.33

  提示:刪除master節點使用 ezctl del-master k8s-cluster01 <ip>;

  驗證節點資訊

root@k8s-deploy:/etc/kubeasz# kubectl get node
NAME           STATUS                     ROLES    AGE     VERSION
192.168.0.31   Ready,SchedulingDisabled   master   31m     v1.26.1
192.168.0.32   Ready,SchedulingDisabled   master   31m     v1.26.1
192.168.0.33   Ready,SchedulingDisabled   master   107s    v1.26.1
192.168.0.34   Ready                      node     26m     v1.26.1
192.168.0.35   Ready                      node     26m     v1.26.1
192.168.0.36   Ready                      node     6m25s   v1.26.1
root@k8s-deploy:/etc/kubeasz# 

  驗證calico狀態

root@k8s-master03:~# calicoctl node status
Calico process is running.

IPv4 BGP status
+--------------+-------------------+-------+----------+-------------+
| PEER ADDRESS |     PEER TYPE     | STATE |  SINCE   |    INFO     |
+--------------+-------------------+-------+----------+-------------+
| 192.168.0.31 | node-to-node mesh | up    | 14:42:50 | Established |
| 192.168.0.32 | node-to-node mesh | up    | 14:42:02 | Established |
| 192.168.0.34 | node-to-node mesh | up    | 14:43:01 | Established |
| 192.168.0.35 | node-to-node mesh | up    | 14:42:19 | Established |
| 192.168.0.36 | node-to-node mesh | up    | 14:42:30 | Established |
+--------------+-------------------+-------+----------+-------------+

IPv6 BGP status
No IPv6 peers found.

root@k8s-master03:~# 

  驗證node節點路由

root@k8s-master03:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 ens160
10.200.62.128   192.168.0.32    255.255.255.192 UG    0      0        0 tunl0
10.200.98.192   0.0.0.0         255.255.255.192 U     0      0        0 *
10.200.124.128  192.168.0.31    255.255.255.192 UG    0      0        0 tunl0
10.200.155.128  192.168.0.36    255.255.255.192 UG    0      0        0 tunl0
10.200.209.0    192.168.0.35    255.255.255.192 UG    0      0        0 tunl0
10.200.211.128  192.168.0.34    255.255.255.192 UG    0      0        0 tunl0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 ens160
root@k8s-master03:~# 

  升級叢集(建議跨小本號升級,如果跨大版本號升級請充分測試沒有問題再升級)

  升級前需提前下載好用於更新的master 元件二進位制、node節點元件二進位制以及客戶端二進位制

  複製二進位制檔案至/etc/kubeasz/bin/

root@deploy:/usr/local/src# ls kubernetes/server/bin/
apiextensions-apiserver    kube-controller-manager             kube-proxy.docker_tag      kubeadm
kube-aggregator            kube-controller-manager.docker_tag  kube-proxy.tar             kubectl
kube-apiserver             kube-controller-manager.tar         kube-scheduler             kubectl-convert
kube-apiserver.docker_tag  kube-log-runner                     kube-scheduler.docker_tag  kubelet
kube-apiserver.tar         kube-proxy                          kube-scheduler.tar         mounter
root@deploy:/usr/local/src# cd kubernetes/server/bin/
root@deploy:/usr/local/src/kubernetes/server/bin# \cp kube-apiserver kube-controller-manager kube-scheduler kubelet kube-proxy kubectl /etc/kubeasz/bin/
root@deploy:/usr/local/src/kubernetes/server/bin# ls /etc/kubeasz/bin/
bridge          chronyd                  ctr             dockerd     hubble                   kube-scheduler  portmap
calicoctl       cilium                   docker          etcd        keepalived               kubectl         runc
cfssl           containerd               docker-compose  etcdctl     kube-apiserver           kubelet         tuning
cfssl-certinfo  containerd-bin           docker-init     helm        kube-controller-manager  loopback
cfssljson       containerd-shim-runc-v2  docker-proxy    host-local  kube-proxy               nginx
root@deploy:/usr/local/src/kubernetes/server/bin# 

  驗證/etc/kubeasz/bin/各元件是否是我們想要升級版本

root@deploy:/usr/local/src/kubernetes/server/bin# cd /etc/kubeasz/bin/
root@deploy:/etc/kubeasz/bin# ls
bridge          chronyd                  ctr             dockerd     hubble                   kube-scheduler  portmap
calicoctl       cilium                   docker          etcd        keepalived               kubectl         runc
cfssl           containerd               docker-compose  etcdctl     kube-apiserver           kubelet         tuning
cfssl-certinfo  containerd-bin           docker-init     helm        kube-controller-manager  loopback
cfssljson       containerd-shim-runc-v2  docker-proxy    host-local  kube-proxy               nginx
root@deploy:/etc/kubeasz/bin# ./kube-apiserver --version
Kubernetes v1.26.4
root@deploy:/etc/kubeasz/bin# ./kube-controller-manager --version
Kubernetes v1.26.4
root@deploy:/etc/kubeasz/bin# ./kube-scheduler --version         
Kubernetes v1.26.4
root@deploy:/etc/kubeasz/bin# 

  執行升級叢集操作

root@deploy:/etc/kubeasz# ./ezctl upgrade k8s-cluster01

  驗證節點版本資訊

root@k8s-deploy:/etc/kubeasz# kubectl get nodes
NAME           STATUS                     ROLES    AGE   VERSION
192.168.0.31   Ready,SchedulingDisabled   master   46m   v1.26.4
192.168.0.32   Ready,SchedulingDisabled   master   46m   v1.26.4
192.168.0.33   Ready,SchedulingDisabled   master   16m   v1.26.4
192.168.0.34   Ready                      node     41m   v1.26.4
192.168.0.35   Ready                      node     41m   v1.26.4
192.168.0.36   Ready                      node     21m   v1.26.4
root@k8s-deploy:/etc/kubeasz# 

  提示:上面我們使用的是kubeasz來更行k8s叢集master和node;我們也可以手動更新;

  手動更新

  方法1:將⼆進位制⽂件同步到其它路徑,修改service⽂件載入新版本⼆進位制,即⽤新版本替換舊版本;

  方法2:關閉源服務、替換⼆進位制⽂件然後啟動服務,即直接替換舊版本;

  將coredns及dashboard部署至kubernetes叢集

  部署k8s內部域名解析服務coredns

root@deploy:~# cat coredns-v1.9.4.yaml 
# __MACHINE_GENERATED_WARNING__

apiVersion: v1
kind: ServiceAccount
metadata:
  name: coredns
  namespace: kube-system
  labels:
      kubernetes.io/cluster-service: "true"
      addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    addonmanager.kubernetes.io/mode: Reconcile
  name: system:coredns
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  - services
  - pods
  - namespaces
  verbs:
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    addonmanager.kubernetes.io/mode: EnsureExists
  name: system:coredns
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:coredns
subjects:
- kind: ServiceAccount
  name: coredns
  namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns
  namespace: kube-system
  labels:
      addonmanager.kubernetes.io/mode: EnsureExists
data:
  Corefile: |
    .:53 {
        errors
        health {
            lameduck 5s
        }
        ready
        kubernetes cluster.local in-addr.arpa ip6.arpa {
            pods insecure
            fallthrough in-addr.arpa ip6.arpa
            ttl 30
        }
        prometheus :9153
        #forward . /etc/resolv.conf {
        forward . 223.6.6.6 {
            max_concurrent 1000
        }
        cache 600
        loop
        reload
        loadbalance
    }
        myserver.online {
          forward . 172.16.16.16:53
        }

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: coredns
  namespace: kube-system
  labels:
    k8s-app: kube-dns
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/name: "CoreDNS"
spec:
  # replicas: not specified here:
  # 1. In order to make Addon Manager do not reconcile this replicas parameter.
  # 2. Default is 1.
  # 3. Will be tuned in real time if DNS horizontal auto-scaling is turned on.
  replicas: 2
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 1
  selector:
    matchLabels:
      k8s-app: kube-dns
  template:
    metadata:
      labels:
        k8s-app: kube-dns
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      priorityClassName: system-cluster-critical
      serviceAccountName: coredns
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - weight: 100
            podAffinityTerm:
              labelSelector:
                matchExpressions:
                  - key: k8s-app
                    operator: In
                    values: ["kube-dns"]
              topologyKey: kubernetes.io/hostname
      tolerations:
        - key: "CriticalAddonsOnly"
          operator: "Exists"
      nodeSelector:
        kubernetes.io/os: linux
      containers:
      - name: coredns
        image: coredns/coredns:1.9.4 
        imagePullPolicy: IfNotPresent
        resources:
          limits:
            memory: 256Mi 
            cpu: 200m
          requests:
            cpu: 100m
            memory: 70Mi
        args: [ "-conf", "/etc/coredns/Corefile" ]
        volumeMounts:
        - name: config-volume
          mountPath: /etc/coredns
          readOnly: true
        ports:
        - containerPort: 53
          name: dns
          protocol: UDP
        - containerPort: 53
          name: dns-tcp
          protocol: TCP
        - containerPort: 9153
          name: metrics
          protocol: TCP
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
            scheme: HTTP
          initialDelaySeconds: 60
          timeoutSeconds: 5
          successThreshold: 1
          failureThreshold: 5
        readinessProbe:
          httpGet:
            path: /ready
            port: 8181
            scheme: HTTP
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - all
          readOnlyRootFilesystem: true
      dnsPolicy: Default
      volumes:
        - name: config-volume
          configMap:
            name: coredns
            items:
            - key: Corefile
              path: Corefile
---
apiVersion: v1
kind: Service
metadata:
  name: kube-dns
  namespace: kube-system
  annotations:
    prometheus.io/port: "9153"
    prometheus.io/scrape: "true"
  labels:
    k8s-app: kube-dns
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/name: "CoreDNS"
spec:
  selector:
    k8s-app: kube-dns
  clusterIP: 10.100.0.2
  ports:
  - name: dns
    port: 53
    protocol: UDP
  - name: dns-tcp
    port: 53
    protocol: TCP
  - name: metrics
    port: 9153
    protocol: TCP
root@deploy:~# 

  檢視coredns 所需映象

root@deploy:~# cat coredns-v1.9.4.yaml|grep image:
        image: coredns/coredns:1.9.4 
root@deploy:~# 

  部署節點下載映象,修改標籤,上傳至harbor倉庫

root@deploy:~# docker pull coredns/coredns:1.9.4 
1.9.4: Pulling from coredns/coredns
c6824c7a0594: Pull complete 
8f16f0bc6a9b: Pull complete 
Digest: sha256:b82e294de6be763f73ae71266c8f5466e7e03c69f3a1de96efd570284d35bb18
Status: Downloaded newer image for coredns/coredns:1.9.4
docker.io/coredns/coredns:1.9.4
root@deploy:~# docker tag coredns/coredns:1.9.4 harbor.ik8s.cc/baseimages/coredns:1.9.4
root@deploy:~# docker push harbor.ik8s.cc/baseimages/coredns:1.9.4
The push refers to repository [harbor.ik8s.cc/baseimages/coredns]
4669672e3ff4: Pushed 
b928104c6a1d: Pushed 
1.9.4: digest: sha256:490711c06f083f563700f181b52529dab526ef36fdac7401f11c04eb1adfe4fd size: 739
root@deploy:~# 

  修改部署清單映象地址為harbor倉庫地址

root@deploy:~# cat coredns-v1.9.4.yaml|grep image:                                     
        image: harbor.ik8s.cc/baseimages/coredns:1.9.4
root@deploy:~# 

  應用coredns部署清單

root@deploy:~# kubectl apply -f coredns-v1.9.4.yaml 
serviceaccount/coredns created
clusterrole.rbac.authorization.k8s.io/system:coredns created
clusterrolebinding.rbac.authorization.k8s.io/system:coredns created
configmap/coredns created
deployment.apps/coredns created
service/kube-dns created
root@deploy:~#

  驗證coredns pods是否正常執行?

root@k8s-deploy:~# kubectl get pods  -A
NAMESPACE     NAME                                       READY   STATUS    RESTARTS        AGE
default       test                                       1/1     Running   0               31m
default       test1                                      1/1     Running   0               31m
default       test2                                      1/1     Running   0               31m
kube-system   calico-kube-controllers-5456dd947c-pwl2n   1/1     Running   1 (6m14s ago)   36m
kube-system   calico-node-4zmb4                          1/1     Running   0               20m
kube-system   calico-node-7lc66                          1/1     Running   0               19m
kube-system   calico-node-bkhkd                          1/1     Running   0               19m
kube-system   calico-node-mw49k                          1/1     Running   0               18m
kube-system   calico-node-v726r                          1/1     Running   0               20m
kube-system   calico-node-x9r7h                          1/1     Running   0               19m
kube-system   coredns-77879dc67d-cfzfj                   1/1     Running   0               13s
kube-system   coredns-77879dc67d-d7hgw                   1/1     Running   0               13s
root@k8s-deploy:~# 

  驗證:建立測試pod,看看對應pod是否可用正常解析域名?

root@k8s-deploy:~# kubectl get pods  -A
NAMESPACE     NAME                                       READY   STATUS    RESTARTS        AGE
default       test                                       1/1     Running   0               31m
default       test1                                      1/1     Running   0               31m
default       test2                                      1/1     Running   0               31m
kube-system   calico-kube-controllers-5456dd947c-pwl2n   1/1     Running   1 (6m49s ago)   37m
kube-system   calico-node-4zmb4                          1/1     Running   0               20m
kube-system   calico-node-7lc66                          1/1     Running   0               19m
kube-system   calico-node-bkhkd                          1/1     Running   0               20m
kube-system   calico-node-mw49k                          1/1     Running   0               19m
kube-system   calico-node-v726r                          1/1     Running   0               20m
kube-system   calico-node-x9r7h                          1/1     Running   0               20m
kube-system   coredns-77879dc67d-cfzfj                   1/1     Running   0               48s
kube-system   coredns-77879dc67d-d7hgw                   1/1     Running   0               48s
root@k8s-deploy:~# kubectl exec -it test -- sh
/ # cat /etc/resolv.conf 
search default.svc.cluster.local svc.cluster.local cluster.local
nameserver 10.100.0.2
options ndots:5
/ # ping www.baidu.com
PING www.baidu.com (14.119.104.254): 56 data bytes
64 bytes from 14.119.104.254: seq=0 ttl=53 time=45.400 ms
^C
--- www.baidu.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 45.400/45.400/45.400 ms
/ # exit
root@k8s-deploy:~# kubectl get svc -A
NAMESPACE     NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)                  AGE
default       kubernetes   ClusterIP   10.100.0.1   <none>        443/TCP                  52m
kube-system   kube-dns     ClusterIP   10.100.0.2   <none>        53/UDP,53/TCP,9153/TCP   81s
root@k8s-deploy:~# 

  提示:可用看到部署coredns以後,現在容器裡就可以正常解析域名;

  部署官方dashboard

  下載官方dashboard部署清單

root@k8s-master01:~# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.7.0/aio/deploy/recommended.yaml

  檢視清單所需映象

root@k8s-master01:~# mv recommended.yaml dashboard-v2.7.0.yaml
root@k8s-master01:~# cat dashboard-v2.7.0.yaml|grep image:
          image: kubernetesui/dashboard:v2.7.0
          image: kubernetesui/metrics-scraper:v1.0.8
root@k8s-master01:~#

  下載所需映象,重新打上本地harbor倉庫地址的標籤並上傳至本地harbor倉庫

root@k8s-master01:~# nerdctl pull kubernetesui/dashboard:v2.7.0
WARN[0000] skipping verifying HTTPS certs for "docker.io" 
docker.io/kubernetesui/dashboard:v2.7.0:                                          resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:2e500d29e9d5f4a086b908eb8dfe7ecac57d2ab09d65b24f588b1d449841ef93:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:ca93706ef4e400542202d620b8094a7e4e568ca9b1869c71b053cdf8b5dc3029: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:07655ddf2eebe5d250f7a72c25f638b27126805d61779741b4e62e69ba080558:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:8e052fd7e2d0aec4ef51e4505d006158414775ad5f0ea3e479ac0ba92f90dfff:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:ee3247c7e545df975ba3826979c7a8d73f1373cbb3ac47def3b734631cef2965:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 41.6s                                                                    total:  72.3 M (1.7 MiB/s)                                       
root@k8s-master01:~# nerdctl pull kubernetesui/metrics-scraper:v1.0.8
WARN[0000] skipping verifying HTTPS certs for "docker.io" 
docker.io/kubernetesui/metrics-scraper:v1.0.8:                                    resolved       |++++++++++++++++++++++++++++++++++++++| 
index-sha256:76049887f07a0476dc93efc2d3569b9529bf982b22d29f356092ce206e98765c:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:43227e8286fd379ee0415a5e2156a9439c4056807e3caa38e1dd413b0644807a: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:115053965e86b2df4d78af78d7951b8644839d20a03820c6df59a261103315f7:   done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:5866d2c04d960790300cbd8b18d67be6b930870d044dd75849c8c96191fe7580:    done           |++++++++++++++++++++++++++++++++++++++| 
layer-sha256:978be80e3ee3098e11be2b18322822513d692988440ec1e74620e8539b07704d:    done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 21.3s                                                                    total:  18.8 M (905.2 KiB/s)                                     
root@k8s-master01:~# nerdctl images 
REPOSITORY                               TAG        IMAGE ID        CREATED              PLATFORM       SIZE         BLOB SIZE
kubernetesui/dashboard                   v2.7.0     2e500d29e9d5    44 seconds ago       linux/amd64    245.8 MiB    72.3 MiB
kubernetesui/metrics-scraper             v1.0.8     76049887f07a    8 seconds ago        linux/amd64    41.8 MiB     18.8 MiB
ubuntu                                   22.04      67211c14fa74    2 hours ago          linux/amd64    83.4 MiB     28.2 MiB
harbor.ik8s.cc/baseimages/calico-cni     v3.24.5    6d29e8402585    About an hour ago    linux/amd64    188.5 MiB    83.4 MiB
harbor.ik8s.cc/baseimages/calico-cni     <none>     6d29e8402585    About an hour ago    linux/amd64    188.5 MiB    83.4 MiB
harbor.ik8s.cc/baseimages/calico-node    v3.24.5    5c614b62b13d    About an hour ago    linux/amd64    224.4 MiB    77.8 MiB
harbor.ik8s.cc/baseimages/calico-node    <none>     5c614b62b13d    About an hour ago    linux/amd64    224.4 MiB    77.8 MiB
harbor.ik8s.cc/baseimages/pause          3.9        0fc1f3b764be    About an hour ago    linux/amd64    732.0 KiB    311.6 KiB
harbor.ik8s.cc/baseimages/pause          <none>     0fc1f3b764be    About an hour ago    linux/amd64    732.0 KiB    311.6 KiB
harbor.ik8s.cc/baseimages/ubuntu         22.04      67211c14fa74    2 hours ago          linux/amd64    83.4 MiB     28.2 MiB
<none>                                   <none>     2e500d29e9d5    45 seconds ago       linux/amd64    245.8 MiB    72.3 MiB
<none>                                   <none>     67211c14fa74    2 hours ago          linux/amd64    83.4 MiB     28.2 MiB
<none>                                   <none>     76049887f07a    9 seconds ago        linux/amd64    41.8 MiB     18.8 MiB
<none>                                   <none>     5c614b62b13d    About an hour ago    linux/amd64    224.4 MiB    77.8 MiB
<none>                                   <none>     6d29e8402585    About an hour ago    linux/amd64    188.5 MiB    83.4 MiB
<none>                                   <none>     0fc1f3b764be    About an hour ago    linux/amd64    732.0 KiB    311.6 KiB
root@k8s-master01:~# nerdctl tag kubernetesui/dashboard:v2.7.0 harbor.ik8s.cc/baseimages/dashboard:v2.7.0
root@k8s-master01:~# nerdctl tag kubernetesui/metrics-scraper:v1.0.8 harbor.ik8s.cc/baseimages/metrics-scraper:v1.0.8
root@k8s-master01:~# nerdctl push harbor.ik8s.cc/baseimages/dashboard:v2.7.0
INFO[0000] pushing as a reduced-platform image (application/vnd.docker.distribution.manifest.list.v2+json, sha256:e7b964bcdfcc9dee6b286e58a5ad2d599e837996e8975f7deb96f3707f06ede1) 
WARN[0000] skipping verifying HTTPS certs for "harbor.ik8s.cc" 
index-sha256:e7b964bcdfcc9dee6b286e58a5ad2d599e837996e8975f7deb96f3707f06ede1:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:ca93706ef4e400542202d620b8094a7e4e568ca9b1869c71b053cdf8b5dc3029: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:07655ddf2eebe5d250f7a72c25f638b27126805d61779741b4e62e69ba080558:   done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 1.8 s                                                                    total:  2.5 Ki (1.4 KiB/s)                                       
root@k8s-master01:~# nerdctl push harbor.ik8s.cc/baseimages/metrics-scraper:v1.0.8
INFO[0000] pushing as a reduced-platform image (application/vnd.docker.distribution.manifest.list.v2+json, sha256:9fdef455b4f9a8ee315a0aa3bd71787cfd929e759da3b4d7e65aaa56510d747b) 
WARN[0000] skipping verifying HTTPS certs for "harbor.ik8s.cc" 
index-sha256:9fdef455b4f9a8ee315a0aa3bd71787cfd929e759da3b4d7e65aaa56510d747b:    done           |++++++++++++++++++++++++++++++++++++++| 
manifest-sha256:43227e8286fd379ee0415a5e2156a9439c4056807e3caa38e1dd413b0644807a: done           |++++++++++++++++++++++++++++++++++++++| 
config-sha256:115053965e86b2df4d78af78d7951b8644839d20a03820c6df59a261103315f7:   done           |++++++++++++++++++++++++++++++++++++++| 
elapsed: 1.2 s                                                                    total:  2.2 Ki (1.8 KiB/s)                                       
root@k8s-master01:~# 

  修改部署檔案中映象地址為harbor倉庫對應映象地址

root@k8s-master01:~# grep  "image:" dashboard-v2.7.0.yaml 
          image: harbor.ik8s.cc/baseimages/dashboard:v2.7.0
          image: harbor.ik8s.cc/baseimages/metrics-scraper:v1.0.8
root@k8s-master01:~# 

  應用dashboard部署清單

root@k8s-master01:~# kubectl apply -f dashboard-v2.7.0.yaml
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrole.rbac.authorization.k8s.io/kubernetes-dashboard created
rolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
clusterrolebinding.rbac.authorization.k8s.io/kubernetes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
root@k8s-master01:~# 

  驗證:檢視pods是否正常執行?

  檢視dashboard 服務地址

  建立admin使用者和secret金鑰

root@k8s-master01:~# cat admin-user.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: kubernetes-dashboard

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
root@k8s-master01:~# cat admin-secret.yaml 
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: dashboard-admin-user
  namespace: kubernetes-dashboard 
  annotations:
    kubernetes.io/service-account.name: "admin-user"
root@k8s-master01:~# kubectl apply -f admin-user.yaml -f admin-secret.yaml
serviceaccount/admin-user created
clusterrolebinding.rbac.authorization.k8s.io/admin-user created
secret/dashboard-admin-user created
root@k8s-master01:~# 

  獲取token

root@k8s-master01:~# kubectl get secret -A | grep admin
kubernetes-dashboard   dashboard-admin-user              kubernetes.io/service-account-token   3      40s
root@k8s-master01:~# kubectl describe secret -n kubernetes-dashboard   dashboard-admin-user
Name:         dashboard-admin-user
Namespace:    kubernetes-dashboard
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: admin-user
              kubernetes.io/service-account.uid: a82489da-be4e-4b7e-a027-4df357a266a7

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1310 bytes
namespace:  20 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6InZEWHEzTmlLLXQ1bmxkTzloVEtUSWFhWkxMUUFsQ1RGWWVmRktPS1BnbncifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbi11c2VyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYTgyNDg5ZGEtYmU0ZS00YjdlLWEwMjctNGRmMzU3YTI2NmE3Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmFkbWluLXVzZXIifQ.c67v-mp1UGxI4Uw05xB0do2rh6gTZ7SFcyUHlzjABB4POr1FIKIp_KQd4ejIq4N1mDSke2TpF8FlmKbOZESZICghVtPcn3ajbZMPAJ9zjscM31W6xazLfc5jgg224kHAziRVOyZdWThC2VPK12-36p1RpCaLi3Mk_gs96U9xsZXYQ6BbfOLP6uTE98oi4ghQW02TqU9qGUEdrTqJJKqpxZJk2Rq_5anxidcq6omXYIsgOOwNMboVembo4CPlRocj1YIyPPEaANBdAsg5Xv99Vv1QaaRmDOeMst_aX-csiULyZUK4FIjSZB_TLRQyii_ZFnnVLmVQ5TCeRGTWSxDi8w
root@k8s-master01:~# 

  登入dashboard

  設定token登入保持時間

  再次應用部署清單

root@k8s-master01:~# kubectl apply -f dashboard-v2.7.0.yaml

  基於Kubeconfig⽂件登入

  製作Kubeconfig⽂件

root@k8s-master01:~# cp /root/.kube/config /opt/kubeconfig
root@k8s-master01:~# vim /opt/kubeconfig

  提示:在kubeconfig檔案中加上token資訊即可;如下

root@k8s-master01:~# cat /opt/kubeconfig
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURtakNDQW9LZ0F3SUJBZ0lVTW01blNKSUtCdGNmeXY3MVlZZy91QlBsT3JZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pERUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0VoaGJtZGFhRzkxTVFzd0NRWURWUVFIRXdKWQpVekVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WlRlWE4wWlcweEZqQVVCZ05WQkFNVERXdDFZbVZ5CmJtVjBaWE10WTJFd0lCY05Nak13TkRJeU1UTXpNekF3V2hnUE1qRXlNekF6TWpreE16TXpNREJhTUdReEN6QUoKQmdOVkJBWVRBa05PTVJFd0R3WURWUVFJRXdoSVlXNW5XbWh2ZFRFTE1Ba0dBMVVFQnhNQ1dGTXhEREFLQmdOVgpCQW9UQTJzNGN6RVBNQTBHQTFVRUN4TUdVM2x6ZEdWdE1SWXdGQVlEVlFRREV3MXJkV0psY201bGRHVnpMV05oCk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBcTRmdWtncjl2ditQWVVtQmZnWjUKTVJIOTZRekErMVgvZG5hUlpzN1lPZjZMaEZ5ZWJxUTFlM3k2bmN3Tk90WUkyemJ3SVJKL0c3YTNsTSt0Qk5sTQpwdE5Db1lxalF4WVY2YkpOcGNIRFJldTY0Z1BYcHhHY1FNZGE2Q1VhVTBrNENMZ0I2ZGx1OE8rUTdaL1dNeWhTClZQMWp5dEpnK1I4UGZRUWVzdnlTanBzaUM4cmdUQjc2VWU0ZXJqaEFwb2JSbzRILzN2cGhVUXRLNTBQSWVVNlgKTnpuTVNONmdLMXRqSjZPSStlVkE1dWdTTnFOc3FVSXFHWmhmZXZSeFBhNzVBbDhrbmRxc3cyTm5WSFFOZmpGUApZR3lNOFlncllUWm9sa2RGYk9Wb2g0U3pncTFnclc0dzBpMnpySVlJTzAzNTBEODh4RFRGRTBka3FPSlRVb0JyCmtRSURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlYKSFE0RUZnUVU5SjZoekJaOTNZMklac1ZYYUYwZk1uZ0crS1V3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUZLNwpjZ3l3UnI4aWt4NmpWMUYwVUNJRGxEN0FPQ3dTcE1Odithd1Zyd2k4Mk5xL3hpL2RjaGU1TjhJUkFEUkRQTHJUClRRS2M4M2FURXM1dnpKczd5Nnl6WHhEbUZocGxrY3NoenVhQkdFSkhpbGpuSHJ0Z09tL1ZQck5QK3hhWXdUNHYKZFNOdEIrczgxNGh6OWhaSitmTHRMb1RBS2tMUjVMRjkyQjF2c0JsVnlkaUhLSnF6MCtORkdJMzdiY1pvc0cxdwpwbVpROHgyWUFxWHE2VFlUQnoxLzR6UGlSM3FMQmxtRkNMZVJCa1RJb2VhUkFxU2ZkeDRiVlhGeTlpQ1lnTHU4CjVrcmQzMEdmZU5pRUpZVWJtZzNxcHNVSUlQTmUvUDdHNU0raS9GSlpDcFBOQ3Y4aS9MQ0Z2cVhPbThvYmdYYm8KeDNsZWpWVlZ6eG9yNEtOd3pUZz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://192.168.0.111:6443
  name: cluster1
contexts:
- context:
    cluster: cluster1
    user: admin
  name: context-cluster1
current-context: context-cluster1
kind: Config
preferences: {}
users:
- name: admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQyakNDQXNLZ0F3SUJBZ0lVZitYb1hxbjBXV2xndlZiY2xwZEp5M0tGUlRVd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pERUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0VoaGJtZGFhRzkxTVFzd0NRWURWUVFIRXdKWQpVekVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WlRlWE4wWlcweEZqQVVCZ05WQkFNVERXdDFZbVZ5CmJtVjBaWE10WTJFd0lCY05Nak13TkRJeU1UTXpNekF3V2hnUE1qQTNNekEwTURreE16TXpNREJhTUdjeEN6QUoKQmdOVkJBWVRBa05PTVJFd0R3WURWUVFJRXdoSVlXNW5XbWh2ZFRFTE1Ba0dBMVVFQnhNQ1dGTXhGekFWQmdOVgpCQW9URG5ONWMzUmxiVHB0WVhOMFpYSnpNUTh3RFFZRFZRUUxFd1pUZVhOMFpXMHhEakFNQmdOVkJBTVRCV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXBZcGJLVGNQSHlMK241bFoKb1lqSlZhNlIvd0laOXR0N0xLdTMwN0k0TmlkUThlenhhbXN5bG5hTzRJc0NHNmJMb05LWEFZRVVSWHhGT0V2VgpYbkYwUHMzL1J2ckROS05QY0FEUTJaUkRvdlRhMWlON2hyeEkwNUc4L3Q0TWNST0NEdGFPaEd5dGowWEFnV2NuCnVGaEVCVnp4RWFFbytvWGdFR29ZRjZ3Zzh0ZUE4V3FmOUsza0dVbnFEZkRzTHpWeHc2UUZxWkw1d1FVc1JCd1AKYmovZUdSZFNBbTFDOFRZRGwyUXBHVVpSYUR0WjI3MHNET0pmcEFKRk5XOXFyUlJEVmtQOXZ3WDY5MjAzUitjRwphMmN5ZW1uNThaNk1iV0lkK3dVWVgreW5ybWNYcURaWThaM3YxdnVnNThYUTBBcUhkMzRkemNRUWVaczNOdmQyClpSeExwUUlEQVFBQm8zOHdmVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdIUVlEVlIwbEJCWXdGQVlJS3dZQkJRVUgKQXdFR0NDc0dBUVVGQndNQ01Bd0dBMVVkRXdFQi93UUNNQUF3SFFZRFZSME9CQllFRlBPeHFwZHdzUWFwbHpxdQo4b2lWUmF2YndjOC9NQjhHQTFVZEl3UVlNQmFBRlBTZW9jd1dmZDJOaUdiRlYyaGRIeko0QnZpbE1BMEdDU3FHClNJYjNEUUVCQ3dVQUE0SUJBUUFwU0U1ZUdUakFGMWtueEhITzNGL0xaNWpvNUJhZ1I5Vjd6a2JOd0xwcHdPUXcKQW0wRUs2WGpKR29YeURkRyt1UUUvRHo4dEcxNy9YYW5MZkF2S3JGc3A5L1lyc0R0YklCVWNRcXcveTVoeHVXYQpSY3NPdFFVMEpoOWlYemYwSmZKR3VxM1k2dTROUEIvdTJ0K250OHN5dGZUVDlKYWFsb1c2ZUV5UWNUNzBTcUNPCjJaL3VaU2UxTVNHZmJ3VC92QmVjaWZ3WVErMTdHc1hseWZwdDA5cWJ1Zlljb3ZLUE01N1JIVnVCTzBVeTNHTy8KMnVHOUhCMWFhazRFQ25sNVpER1huMDVYUVk4dXFlU3lTeVNOaFRsQ0RXRm83a1BFNmhyczFoVTNBWmVoMUtpcApoOHV4SlZzWGdkR01hYWtnTmJCeTZOampNSFFtOXNadTl4cFRMVWxHCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcFlwYktUY1BIeUwrbjVsWm9ZakpWYTZSL3dJWjl0dDdMS3UzMDdJNE5pZFE4ZXp4CmFtc3lsbmFPNElzQ0c2YkxvTktYQVlFVVJYeEZPRXZWWG5GMFBzMy9SdnJETktOUGNBRFEyWlJEb3ZUYTFpTjcKaHJ4STA1RzgvdDRNY1JPQ0R0YU9oR3l0ajBYQWdXY251RmhFQlZ6eEVhRW8rb1hnRUdvWUY2d2c4dGVBOFdxZgo5SzNrR1VucURmRHNMelZ4dzZRRnFaTDV3UVVzUkJ3UGJqL2VHUmRTQW0xQzhUWURsMlFwR1VaUmFEdFoyNzBzCkRPSmZwQUpGTlc5cXJSUkRWa1A5dndYNjkyMDNSK2NHYTJjeWVtbjU4WjZNYldJZCt3VVlYK3lucm1jWHFEWlkKOFozdjF2dWc1OFhRMEFxSGQzNGR6Y1FRZVpzM052ZDJaUnhMcFFJREFRQUJBb0lCQUNlSnZTNUI1VTIxaVFWTApsam5idHVMTkdEZkZJN2h2UWFNd3ZHNUdvZUJsVVpNRzJiNW1MaVg3MlRKT1lVbURkQjFNVHg3ZjJweWlDdEpnClltejFRaU9DQmhmSTZ2aldqTEdlc0VOWGd6UVhzWEQxOXBuK3ZKSXp1K1ZQMmI3a1B1c1dXZUhOSjBNU0VPR1gKWnNoRDVMTTNPS2pTU2p4VDMybHNQYWJoeU5qWE42NTNCbTljdmhvSEJFR2hIWjVYWkZRZm9VdnkyeTZ4L0V0RwpHOWlhek5sbTEwVVdWZUxiU012ZE9lMlJQdjNlNmw4OGxWUzMrSVhlTm9SUU0zZk84NjJqRXZ2M2NNSVcyWWZoCkJBQnJ4QTk3UmUzcWk1STdrc3ViaW9FYnVMaVdmNzJzbG5oSlpSZmJybFZET1VXc0g4d1dBcU4rd3FsOFhsUzEKdEtTM1RBRUNnWUVBMFJhWUVxZ2JBYkZjZStIVVZFbG5RejdIOUpnWXZLTTRvSEp0TmthZm5pVjF2K0lEanFWeApkRElzcFlzUnNrc3g2SmV4YVVQWSs3SGlQb043RWR1Qkh2b0taUUFudVU0NXJvTklVbHcybHI0TmN6RjNlTjlYCjlGVkY1OXBrNnFNRUdNMzRXTFB5dEVGbFRZYVJoeVpTRDhmbTN6V3FkRmp0U1A1UTJSNnY4S1VDZ1lFQXlxNkIKakgzTWFhRmMreWZTRi9yclRHZ3NseDVEcldZUlVWejRKZVZNRUpYUE1IMkNvUmVvc29vSDZLV3dJNjdDT3VxcgpGRG9LN0g1blU0bUh3Vi9CYnlnd08wdFF1anhFNUk0Vm5zcUZOQXNCZE91L0dnVEJqQ0huK2U5MHRGS0dxT093Cm1JM2YzMDZZWGUzdFlhUUJuVWdxdUNKS2FPSm1kcXJPVllsWS93RUNnWUVBbS9JdUdqd25hR3ZRZnRWQWVGMEgKRjdDTGtuS2VnSk44ZUs3ZnBjdW00VjB2Slo1ODZMZWNsdjJWTHlNNlg3Q1YyTlRMRGFmOC9qeitjWUcvR09LTwp1M3ZpcE5Jb3pwejVpSitDSVd1Rmk0alVuMFlWeGFGUENIMVJWa3dkV0tPZE9xTGt4OFB2RVdKMUhBMXlIVXNICmlaMmZKSHZ5VmpTOVJlUG9pUWZLVWNFQ2dZQVcxNWZ1RjNka0tEVnNjTTV5dVdxdlQ4Wkd1Ymh5NEYvdlJZVUoKOEUra1J0MzAzeEJMeTNqTnRsU3gyWXFDV3YyMDJpR3h3K0RiU2x1bXhJY3lPZko0N3BTUStpbjg4ekhvZUVMagpoSHVDcEFMa0JIV2pId29aR3ZFajcrSzlOOWZKVE8vb0lZVXJpNVlNYi9ZaTNQTDVvTnAvcWcyc3lHYzMxSVF3Cmk2d21BUUtCZ0EyQ0NHcEVIUnpEUGUyYUpLTWgzUFdGc0FPQ0NoZ0pLWkprVEZwTnZNNmZSOGMzRXBrMitWTjMKaDhEYTJhK0pNTkZITmhNNTNCRFptU0hFTjNqRVBHSzNHZURlMUNHRHFVaXNsNW1hQWptcVpuV2pnOWlCTmFhRwpzVElERkVmNVNGbVRsT0xrUFA1Y092RHNBQWl1TzZMUHRvTmlQTTB0eUU3cFMrNUhsNUpaCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6InZEWHEzTmlLLXQ1bmxkTzloVEtUSWFhWkxMUUFsQ1RGWWVmRktPS1BnbncifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdXNlciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbi11c2VyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYTgyNDg5ZGEtYmU0ZS00YjdlLWEwMjctNGRmMzU3YTI2NmE3Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmVybmV0ZXMtZGFzaGJvYXJkOmFkbWluLXVzZXIifQ.c67v-mp1UGxI4Uw05xB0do2rh6gTZ7SFcyUHlzjABB4POr1FIKIp_KQd4ejIq4N1mDSke2TpF8FlmKbOZESZICghVtPcn3ajbZMPAJ9zjscM31W6xazLfc5jgg224kHAziRVOyZdWThC2VPK12-36p1RpCaLi3Mk_gs96U9xsZXYQ6BbfOLP6uTE98oi4ghQW02TqU9qGUEdrTqJJKqpxZJk2Rq_5anxidcq6omXYIsgOOwNMboVembo4CPlRocj1YIyPPEaANBdAsg5Xv99Vv1QaaRmDOeMst_aX-csiULyZUK4FIjSZB_TLRQyii_ZFnnVLmVQ5TCeRGTWSxDi8w
root@k8s-master01:~# 

  提示:將上述檔案匯出即可使用kubeconfig檔案來登入dashboard;

  驗證使用kubeconfig檔案登入dashboard

  部署第三方dashboard kuboard

  為kuboard準備存放資料的目錄,安裝nfs-server

root@harbor:~# apt install nfs-server -y
root@harbor:~# mkdir -p /data/k8sdata/kuboard
root@harbor:~# cat /etc/exports 
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/data/k8sdata/kuboard *(rw,no_root_squash)
root@harbor:~# systemctl restart nfs-server
root@harbor:~# systemctl enable nfs-server
root@harbor:~# 

  部署kuboard

root@k8s-master01:~/kuboard# cat kuboard-all-in-one.yaml
---
apiVersion: v1
kind: Namespace
metadata:
  name: kuboard

---
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations: {}
  labels:
    k8s.kuboard.cn/name: kuboard-v3
  name: kuboard-v3
  namespace: kuboard
spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s.kuboard.cn/name: kuboard-v3
  template:
    metadata:
      labels:
        k8s.kuboard.cn/name: kuboard-v3
    spec:
      #affinity:
      #  nodeAffinity:
      #    preferredDuringSchedulingIgnoredDuringExecution:
      #      - preference:
      #          matchExpressions:
      #            - key: node-role.kubernetes.io/master
      #              operator: Exists
      #        weight: 100
      #      - preference:
      #          matchExpressions:
      #            - key: node-role.kubernetes.io/control-plane
      #              operator: Exists
      #        weight: 100
      volumes:
      - name: kuboard-data
        nfs:
          server: 192.168.0.42
          path: /data/k8sdata/kuboard 
      containers:
        - env:
            - name: "KUBOARD_ENDPOINT"
              value: "http://kuboard-v3:80"
            - name: "KUBOARD_AGENT_SERVER_TCP_PORT"
              value: "10081"
          image: swr.cn-east-2.myhuaweicloud.com/kuboard/kuboard:v3 
          volumeMounts:
          - name: kuboard-data 
            mountPath: /data 
            readOnly: false
          imagePullPolicy: Always
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /
              port: 80
              scheme: HTTP
            initialDelaySeconds: 30
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          name: kuboard
          ports:
            - containerPort: 80
              name: web
              protocol: TCP
            - containerPort: 443
              name: https
              protocol: TCP
            - containerPort: 10081
              name: peer
              protocol: TCP
            - containerPort: 10081
              name: peer-u
              protocol: UDP
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /
              port: 80
              scheme: HTTP
            initialDelaySeconds: 30
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 1
          resources: {}
      #dnsPolicy: ClusterFirst
      #restartPolicy: Always
      #serviceAccount: kuboard-boostrap
      #serviceAccountName: kuboard-boostrap
      #tolerations:
      #  - key: node-role.kubernetes.io/master
      #    operator: Exists

---
apiVersion: v1
kind: Service
metadata:
  annotations: {}
  labels:
    k8s.kuboard.cn/name: kuboard-v3
  name: kuboard-v3
  namespace: kuboard
spec:
  ports:
    - name: web
      nodePort: 30080
      port: 80
      protocol: TCP
      targetPort: 80
    - name: tcp
      nodePort: 30081
      port: 10081
      protocol: TCP
      targetPort: 10081
    - name: udp
      nodePort: 30081
      port: 10081
      protocol: UDP
      targetPort: 10081
  selector:
    k8s.kuboard.cn/name: kuboard-v3
  sessionAffinity: None
  type: NodePort
root@k8s-master01:~/kuboard#

  應用部署清單

root@k8s-master01:~/kuboard# kubectl apply -f kuboard-all-in-one.yaml 
namespace/kuboard created
deployment.apps/kuboard-v3 created
service/kuboard-v3 created
root@k8s-master01:~/kuboard# kubectl get pods -A
NAMESPACE              NAME                                         READY   STATUS    RESTARTS       AGE
default                test                                         1/1     Running   0              143m
default                test1                                        1/1     Running   0              143m
default                test2                                        1/1     Running   0              143m
kube-system            calico-kube-controllers-5456dd947c-pwl2n     1/1     Running   1 (118m ago)   149m
kube-system            calico-node-4zmb4                            1/1     Running   0              132m
kube-system            calico-node-7lc66                            1/1     Running   0              131m
kube-system            calico-node-bkhkd                            1/1     Running   0              131m
kube-system            calico-node-mw49k                            1/1     Running   0              131m
kube-system            calico-node-v726r                            1/1     Running   0              132m
kube-system            calico-node-x9r7h                            1/1     Running   0              131m
kube-system            coredns-77879dc67d-cfzfj                     1/1     Running   0              112m
kube-system            coredns-77879dc67d-d7hgw                     1/1     Running   0              112m
kubernetes-dashboard   dashboard-metrics-scraper-7f4bd79f5b-f9z74   1/1     Running   0              67m
kubernetes-dashboard   kubernetes-dashboard-6cd4d9dfb4-2kjbx        1/1     Running   0              51m
kuboard                kuboard-v3-689f5c8d6-fxxhx                   1/1     Running   0              2m52s
root@k8s-master01:~/kuboard# kubectl get svc -A 
NAMESPACE              NAME                        TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                        AGE
default                kubernetes                  ClusterIP   10.100.0.1       <none>        443/TCP                                        163m
kube-system            kube-dns                    ClusterIP   10.100.0.2       <none>        53/UDP,53/TCP,9153/TCP                         112m
kubernetes-dashboard   dashboard-metrics-scraper   ClusterIP   10.100.143.187   <none>        8000/TCP                                       68m
kubernetes-dashboard   kubernetes-dashboard        NodePort    10.100.90.240    <none>        443:30000/TCP                                  68m
kuboard                kuboard-v3                  NodePort    10.100.224.132   <none>        80:30080/TCP,10081:30081/TCP,10081:30081/UDP   7m5s
root@k8s-master01:~/kuboard# 

  訪問kuboard

  提示:預設使用者名稱和密碼是admin/Kuboard123

  匯入叢集

  新增叢集的方式有兩種,一種是agent,一種是kubeconfig;agent這種方式需要在k8s上額外執行一個pod來作為agent;

  agent方式匯入叢集

  提示:把上述命令在k8s叢集上執行下就好;

  kubeconfig方式匯入叢集

  提示:需要將製作好的kubeconfig檔案內容直接貼上進來即可;

  返回首頁檢視叢集列表

  提示:kuboard它可用管理多個叢集;

  選擇使用叢集的身份

  檢視叢集概要資訊

  好了,第三方dashboard kuboard就部署好了,後面我們管理k8s叢集就可用在kuboard上面點點;如果需要解除安裝kuboard ,只需要在k8s上將部署清單delete一下即可;kubectl delete -f kuboard-all-in-one.yaml;

  部署第三方dashboard kubesphere

  提前準備儲存類相關部署清單

  授權清單

root@k8s-master01:~/KubeSphere/1.nfs-stroageclass-cases# cat 1-rbac.yaml 
apiVersion: v1
kind: Namespace
metadata:
  name: nfs
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: nfs-client-provisioner
  # replace with namespace where provisioner is deployed
  namespace: nfs
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: nfs-client-provisioner-runner
rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: run-nfs-client-provisioner
subjects:
  - kind: ServiceAccount
    name: nfs-client-provisioner
    # replace with namespace where provisioner is deployed
    namespace: nfs
roleRef:
  kind: ClusterRole
  name: nfs-client-provisioner-runner
  apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: leader-locking-nfs-client-provisioner
  # replace with namespace where provisioner is deployed
  namespace: nfs
rules:
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: leader-locking-nfs-client-provisioner
  # replace with namespace where provisioner is deployed
  namespace: nfs
subjects:
  - kind: ServiceAccount
    name: nfs-client-provisioner
    # replace with namespace where provisioner is deployed
    namespace: nfs
roleRef:
  kind: Role
  name: leader-locking-nfs-client-provisioner
  apiGroup: rbac.authorization.k8s.io
root@k8s-master01:~/KubeSphere/1.nfs-stroageclass-cases# 

  儲存類清單

root@k8s-master01:~/KubeSphere/1.nfs-stroageclass-cases# cat 2-storageclass.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  #name: managed-nfs-storage
  name: nfs-csi
  annotations:
    storageclass.kubernetes.io/is-default-class: "true" 
provisioner: k8s-sigs.io/nfs-subdir-external-provisioner # or choose another name, must match deployment's env PROVISIONER_NAME'
reclaimPolicy: Retain #PV的刪除策略,預設為delete,刪除PV後立即刪除NFS server的資料
mountOptions:
  #- vers=4.1 #containerd有部分引數異常
  #- noresvport #告知NFS客戶端在重新建立網路連線時,使用新的傳輸控制協議源埠
  - noatime #訪問檔案時不更新檔案inode中的時間戳,高併發環境可提高效能
parameters:
  #mountOptions: "vers=4.1,noresvport,noatime"
  archiveOnDelete: "true"  #刪除pod時保留pod資料,預設為false時為不保留資料 
root@k8s-master01:~/KubeSphere/1.nfs-stroageclass-cases# 

  NFS提供者清單

root@k8s-master01:~/KubeSphere/1.nfs-stroageclass-cases# cat 3-nfs-provisioner.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nfs-client-provisioner
  labels:
    app: nfs-client-provisioner
  # replace with namespace where provisioner is deployed
  namespace: nfs
spec:
  replicas: 1
  strategy: #部署策略
    type: Recreate
  selector:
    matchLabels:
      app: nfs-client-provisioner
  template:
    metadata:
      labels:
        app: nfs-client-provisioner
    spec:
      serviceAccountName: nfs-client-provisioner
      containers:
        - name: nfs-client-provisioner
          #image: k8s.gcr.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2 
          image: registry.cn-qingdao.aliyuncs.com/zhangshijie/nfs-subdir-external-provisioner:v4.0.2 
          volumeMounts:
            - name: nfs-client-root
              mountPath: /persistentvolumes
          env:
            - name: PROVISIONER_NAME
              value: k8s-sigs.io/nfs-subdir-external-provisioner
            - name: NFS_SERVER
              value: 192.168.0.42
            - name: NFS_PATH
              value: /data/volumes
      volumes:
        - name: nfs-client-root
          nfs:
            server: 192.168.0.42
            path: /data/volumes
root@k8s-master01:~/KubeSphere/1.nfs-stroageclass-cases# 

  在NFS上準備資料目錄

root@harbor:~# mkdir -p /data/volumes
root@harbor:~# cat /etc/exports 
# /etc/exports: the access control list for filesystems which may be exported
#               to NFS clients.  See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
#
/data/k8sdata/kuboard *(rw,no_root_squash)
/data/volumes *(rw,no_root_squash)
root@harbor:~# exportfs -av
exportfs: /etc/exports [1]: Neither 'subtree_check' or 'no_subtree_check' specified for export "*:/data/k8sdata/kuboard".
  Assuming default behaviour ('no_subtree_check').
  NOTE: this default has changed since nfs-utils version 1.0.x

exportfs: /etc/exports [2]: Neither 'subtree_check' or 'no_subtree_check' specified for export "*:/data/volumes".
  Assuming default behaviour ('no_subtree_check').
  NOTE: this default has changed since nfs-utils version 1.0.x

exporting *:/data/volumes
exporting *:/data/k8sdata/kuboard
root@harbor:~# 

  應用上述授權、儲存類、NFS提供者清單

root@k8s-master01:~/KubeSphere/1.nfs-stroageclass-cases# kubectl apply -f .
namespace/nfs created
serviceaccount/nfs-client-provisioner created
clusterrole.rbac.authorization.k8s.io/nfs-client-provisioner-runner created
clusterrolebinding.rbac.authorization.k8s.io/run-nfs-client-provisioner created
role.rbac.authorization.k8s.io/leader-locking-nfs-client-provisioner created
rolebinding.rbac.authorization.k8s.io/leader-locking-nfs-client-provisioner created
storageclass.storage.k8s.io/nfs-csi created
deployment.apps/nfs-client-provisioner created
root@k8s-master01:~/KubeSphere/1.nfs-stroageclass-cases# 

  驗證:檢視對應pod是否正常執行?

  驗證儲存類是否正常建立

  編輯cluster-configuration.yaml,啟用外掛

  啟用logging

  提示:除了在部署前修改cluster-configuration.yaml檔案來啟用各種外掛,也可以在部署後使用admin使用者登入控制檯,在平臺管理,選集權管理,定製資源定義,在搜尋欄裡輸入clusterconfiguration,點選搜尋結果檢視詳細頁面;在自定義資源中,點選kk-installer右側編輯YAML;

  應用kubesphere-installer.yaml安裝清單

root@k8s-master01:~/KubeSphere# kubectl apply -f kubesphere-installer.yaml 
customresourcedefinition.apiextensions.k8s.io/clusterconfigurations.installer.kubesphere.io created
namespace/kubesphere-system created
serviceaccount/ks-installer created
clusterrole.rbac.authorization.k8s.io/ks-installer created
clusterrolebinding.rbac.authorization.k8s.io/ks-installer created
deployment.apps/ks-installer created
root@k8s-master01:~/KubeSphere#

  應用cluster-configuration.yaml叢集配置清單

root@k8s-master01:~/KubeSphere# kubectl apply -f cluster-configuration.yaml 
clusterconfiguration.installer.kubesphere.io/ks-installer created
root@k8s-master01:~/KubeSphere# 

  檢視安裝過程⽇志資訊

root@k8s-master01:~/KubeSphere# kubectl logs -n kubesphere-system $(kubectl get pod -n kubesphere-system -l 'app in (ks-install, ks-installer)' -o jsonpath='{.items[0].metadata.name}') -f

  驗證:檢視pods是否正常執行

root@k8s-deploy:~# kubectl get pods -A
NAMESPACE                      NAME                                          READY   STATUS    RESTARTS      AGE
default                        test                                          1/1     Running   1 (20m ago)   3h55m
default                        test1                                         1/1     Running   1 (20m ago)   3h55m
default                        test2                                         1/1     Running   1 (21m ago)   3h55m
kube-system                    calico-kube-controllers-5456dd947c-pwl2n      1/1     Running   2 (21m ago)   4h
kube-system                    calico-node-4zmb4                             1/1     Running   0             3h44m
kube-system                    calico-node-7lc66                             1/1     Running   0             3h43m
kube-system                    calico-node-bkhkd                             1/1     Running   1 (20m ago)   3h43m
kube-system                    calico-node-mw49k                             1/1     Running   1 (21m ago)   3h43m
kube-system                    calico-node-v726r                             1/1     Running   0             3h44m
kube-system                    calico-node-x9r7h                             1/1     Running   1 (20m ago)   3h43m
kube-system                    coredns-77879dc67d-cfzfj                      1/1     Running   1 (20m ago)   3h24m
kube-system                    coredns-77879dc67d-d7hgw                      1/1     Running   1 (20m ago)   3h24m
kube-system                    snapshot-controller-0                         1/1     Running   1 (20m ago)   30m
kubernetes-dashboard           dashboard-metrics-scraper-7f4bd79f5b-f9z74    1/1     Running   1 (20m ago)   159m
kubernetes-dashboard           kubernetes-dashboard-6cd4d9dfb4-2kjbx         1/1     Running   1 (20m ago)   143m
kubesphere-controls-system     default-http-backend-864f4f5c6b-7tsv6         1/1     Running   0             15m
kubesphere-controls-system     kubectl-admin-c6988866d-zz566                 1/1     Running   0             3m11s
kubesphere-logging-system      elasticsearch-logging-data-0                  1/1     Running   0             29m
kubesphere-logging-system      elasticsearch-logging-data-1                  1/1     Running   0             18m
kubesphere-logging-system      elasticsearch-logging-data-2                  1/1     Running   0             18m
kubesphere-logging-system      elasticsearch-logging-discovery-0             1/1     Running   0             29m
kubesphere-logging-system      elasticsearch-logging-discovery-1             1/1     Running   0             20m
kubesphere-logging-system      elasticsearch-logging-discovery-2             1/1     Running   0             18m
kubesphere-logging-system      fluent-bit-2dbgl                              1/1     Running   0             17m
kubesphere-logging-system      fluent-bit-86m78                              1/1     Running   0             17m
kubesphere-logging-system      fluent-bit-98v2p                              1/1     Running   0             17m
kubesphere-logging-system      fluent-bit-jrdqm                              1/1     Running   0             17m
kubesphere-logging-system      fluent-bit-l68dm                              1/1     Running   0             17m
kubesphere-logging-system      fluent-bit-mn68v                              1/1     Running   0             17m
kubesphere-logging-system      fluentbit-operator-5548b5b599-hmbc4           1/1     Running   0             18m
kubesphere-logging-system      logsidecar-injector-deploy-7894888d74-crmx7   2/2     Running   0             11m
kubesphere-logging-system      logsidecar-injector-deploy-7894888d74-nd4tm   2/2     Running   0             11m
kubesphere-monitoring-system   kube-state-metrics-8c877c9db-z9x4j            3/3     Running   0             6m41s
kubesphere-monitoring-system   node-exporter-5tjml                           2/2     Running   0             6m45s
kubesphere-monitoring-system   node-exporter-dj5th                           2/2     Running   0             6m44s
kubesphere-monitoring-system   node-exporter-nxl4k                           2/2     Running   0             6m44s
kubesphere-monitoring-system   node-exporter-phxxn                           2/2     Running   0             6m44s
kubesphere-monitoring-system   node-exporter-qb6c8                           2/2     Running   0             6m44s
kubesphere-monitoring-system   node-exporter-t8h9j                           2/2     Running   0             6m44s
kubesphere-monitoring-system   prometheus-k8s-0                              2/2     Running   0             6m28s
kubesphere-monitoring-system   prometheus-k8s-1                              2/2     Running   0             6m28s
kubesphere-monitoring-system   prometheus-operator-845b8fb9df-tkhgn          2/2     Running   0             6m47s
kubesphere-system              ks-apiserver-5cd88dfbc5-5k85m                 1/1     Running   0             15m
kubesphere-system              ks-apiserver-5cd88dfbc5-5mdnb                 1/1     Running   0             15m
kubesphere-system              ks-apiserver-5cd88dfbc5-ckp76                 1/1     Running   0             15m
kubesphere-system              ks-console-68769fccc6-2m978                   1/1     Running   0             15m
kubesphere-system              ks-console-68769fccc6-2vlrx                   1/1     Running   0             15m
kubesphere-system              ks-console-68769fccc6-9xc5s                   1/1     Running   0             15m
kubesphere-system              ks-controller-manager-55fdd48f88-drrqf        1/1     Running   0             15m
kubesphere-system              ks-controller-manager-55fdd48f88-dzv59        1/1     Running   0             15m
kubesphere-system              ks-controller-manager-55fdd48f88-jnxff        1/1     Running   0             15m
kubesphere-system              ks-installer-fcf648dcb-mswk4                  1/1     Running   1 (20m ago)   32m
kubesphere-system              redis-64bf76657c-5gkw8                        1/1     Running   1 (21m ago)   29m
kuboard                        kuboard-v3-689f5c8d6-fxxhx                    1/1     Running   1 (20m ago)   94m
nfs                            nfs-client-provisioner-7d84488bd5-d6988       1/1     Running   1 (21m ago)   47m
root@k8s-deploy:~#

  檢視kubesphere 控制檯服務埠

  訪問kubesphere 控制檯

  修改密碼

  ok,基於第三方dashboard kubesphere部署完畢;

相關文章