环境
https://kubernetes.io/zh/docs/setup/production-environment/tools/kubeadm/install-kubeadm/
安装 kubeadm 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg EOF setenforce 0 sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes systemctl enable --now kubelet modprobe br_netfilter cat <<EOF > /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-ip6tables = 1 net.bridge.bridge-nf-call-iptables = 1 EOF sysctl --system
使用 kubeadm 创建单个控制面板节点 1 2 3 4 5 6 7 8 9 kubeadm init \ --apiserver-advertise-address={your_host} \ --apiserver-bind-port=6443 \ --pod-network-cidr=10.233.0.0/16 \ --service-cidr=10.96.0.0/12 mkdir -p $HOME /.kube sudo cp -i /etc/kubernetes/admin.conf $HOME /.kube/config sudo chown $(id -u):$(id -g) $HOME /.kube/config
执行 kubeadm init 之后会输出类似
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Your Kubernetes control-plane has initialized successfully! To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME /.kube sudo cp -i /etc/kubernetes/admin.conf $HOME /.kube/config sudo chown $(id -u):$(id -g) $HOME /.kube/config You should now deploy a Pod network to the cluster. Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at: /docs/concepts/cluster-administration/addons/ You can now join any number of machines by running the following on each node as root: kubeadm join <control-plane-host>:<control-plane-port> --token <token> --discovery-token-ca-cert-hash sha256:<hash >
记录下 kubeadm join <control-plane-host>:<control-plane-port> --token <token> --discovery-token-ca-cert-hash sha256:<hash>,后续加入节点时会用到
token有效期为24小时,可以通过 kubeadm token list 查看
1 2 TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS tmxcmx.1utw7s3anszbd03z 23h 2020-04-06T16:24:03+08:00 authentication,signing The default bootstrap token generated by 'kubeadm init' . system:bootstrappers:kubeadm:default-node-token
如果token过期,可以通过 kubeadm token create 生成新的token
如果你忘了 --discovery-token-ca-cert-hash 的值,可以通过以下命令获取
1 2 openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | \ openssl dgst -sha256 -hex | sed 's/^.* //'
其他问题
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/
默认情况下由于安全问题 pod 不会被调度到控制节点上,如果你只有一个用于测试的节点,可以执行以下命令放行
1 kubectl taint nodes --all node-role.kubernetes.io/master-
安装 Pod network 在控制节点上执行
1 KUBECONFIG=/etc/kubernetes/admin.conf kubectl apply -f https://raw.githubusercontent.com/cloudnativelabs/kube-router/master/daemonset/kubeadm-kuberouter.yaml
加入节点 在需要加入的机器上执行
1 kubeadm join <control-plane-host>:<control-plane-port> --token <token> --discovery-token-ca-cert-hash sha256:<hash >
加入后在控制节点上可以通过 kubectl get nodes 看到新加入的节点
安装Dashboard 1 wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-rc7/aio/deploy/recommended.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 kind: Service apiVersion: v1 metadata: labels: k8s-app: kubernetes-dashboard name: kubernetes-dashboard namespace: kubernetes-dashboard spec: type : NodePort ports: - port: 443 targetPort: 8443 nodePort: 30001 selector: k8s-app: kubernetes-dashboard
1 kubectl create -f recommended.yaml
1 2 kubectl -n kube-system describe $(kubectl -n kube-system get secret -n kube-system -o name | grep namespace) | grep token
浏览器打开 https://localhost:30001 输入上面的 token即可登陆
遇到 chrome 证书问题无法打开的问题,可以通过输入 thisisunsafe 绕过
清理节点
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/#tear-down
