一看必会系列:k8s-dashboard 1.10.1安装手册

来源:本站原创 Docker 超过2,255 views围观 0条评论

http://www.525.life/article?id=1510739742331

视频版:https://ke.qq.com/course/266656

yum install -y epel-release lrzsz wget net-tools ntp

时间来来个同步

ntpdate cn.pool.ntp.org

关闭防火墙:

systemctl stop firewalld

systemctl disable firewalld

关闭selinux:

sed -i ‘s/enforcing/disabled/’ /etc/selinux/config

setenforce 0

关闭swap:

swapoff -a

临时

vim /etc/fstab

永久

添加主机名与IP对应关系(记得设置主机名): cat /etc/hosts

192.168.0.11 k8s-master

192.168.0.12 k8s-node1

192.168.0.13 k8s-node2

将桥接的IPv4流量传递到iptables的链:

cat > /etc/sysctl.d/k8s.conf << EOF

net.bridge.bridge-nf-call-ip6tables = 1

net.bridge.bridge-nf-call-iptables = 1

EOF

sysctl –system

[root@localhost ~]# sudo sysctl -p /etc/sysctl.d/k8s.conf

sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-ip6tables: No such file or directory

sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory

[root@localhost ~]#

[root@localhost ~]# modprobe br_netfilter

[root@localhost ~]# sudo sysctl -p /etc/sysctl.d/k8s.conf

net.bridge.bridge-nf-call-ip6tables = 1

net.bridge.bridge-nf-call-iptables = 1

[root@localhost ~]#

Kubernetes默认CRI(容器运行时)为Docker,因此先安装Docker。

curl -fsSL https://get.docker.com | bash -s docker –mirror Aliyun

wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo yum -y install docker-ce-18.06.1.ce-3.el7 systemctl enable docker && systemctl start docker

docker –version Docker version 18.06.1-ce, build e68fc7a

cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/ enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF

4. 所有节点安装Docker/kubeadm/kubelet

装之前先改hosts

[root@k8s-master ~]# cat /etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.10.68 k8s-master

192.168.10.69 k8s-node1

由于版本更新频繁,这里指定版本号部署:

yum install -y kubelet-1.13.3 kubeadm-1.13.3 kubectl-1.13.3

节点

yum install -y kubelet-1.13.3 kubeadm-1.13.3

systemctl enable kubelet

更换国内原,所有服务器都需要改成一样的

vi /etc/docker/daemon.json

{

"registry-mirrors": [ "https://registry.docker-cn.com"]

}

也可能和阿里云,但需要自己注册

{

"registry-mirrors": ["https://9syoriwt.mirror.aliyuncs.com"]

}

free -h

swapoff -a

vim /etc/fstab

kubeadm init \ –apiserver-advertise-address=192.168.10.68 \ –image-repository registry.aliyuncs.com/google_containers \ –kubernetes-version v1.13.3 \ –service-cidr=10.100.0.0/16\ –pod-network-cidr=10.244.0.0/16

如果初始化失败,可以重置下,再初始化

kubeadm reset #——注意用完这个,重装之后,可能遇到kubectl显示认证不过无法使用,这是多执行一次屏幕回显的注册adminconf指令那几条,就ok了

会生成token

7. 加入Kubernetes Node 向集群添加新节点,执行在kubeadm init输出的kubeadm join命令:

记录输出,node加入集群只需要运行这个

You can now join any number of machines by running the following on each node

as root:

kubeadm join 192.168.10.68:6443 –token 95fvbt.xf7ycgtxfbzc2tyr –discovery-token-ca-cert-hash sha256:cc48567c61690242b3123e0f4f68cda9ff431562735a655a5ee7b544b8364d1c

TOKEN会过期,所以重新创建token

默认24小时过期

1.kubeadm token create

kubeadm token list

2 获取ca证书sha256编码hash值

openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed ‘s/^.* //’

3.将完整命令到要加的NODE上运行

kubeadm join 192.168.10.68:6443 –token lh4nta.nmd0mzksdi3n0luo –discovery-token-ca-cert-hash sha256:cc48567c61690242b3123e0f4f68cda9ff431562735a655a5ee7b544b8364d1c

格式:

kubeadm join masterIP:6443 –token 刚生成的 –discovery-token-ca-cert-hash sha256:刚生成的

[root@k8s-master ~]# kubeadm token list #查看TOKEN

TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS

95fvbt.xf7ycgtxfbzc2tyr <invalid> 2019-03-03T12:55:43-05:00 authentication,signing The default bootstrap token generated by ‘kubeadm init’. system:bootstrappers:kubeadm:default-node-token

lh4nta.nmd0mzksdi3n0luo 23h 2019-03-04T22:38:25-05:00 authentication,signing <none> system:bootstrappers:kubeadm:default-node-token

结果如下:

[root@k8s-node2 ~]# kubeadm join 192.168.10.68:6443 –token lh4nta.nmd0mzksdi3n0luo –discovery-token-ca-cert-hash cc48567c61690242b3123e0f4f68cda9ff431562735a655a5ee7b544b8364d1c

This node has joined the cluster:

* Certificate signing request was sent to apiserver and a response was received.

* The Kubelet was informed of the new secure connection details.

Run ‘kubectl get nodes’ on the master to see this node join the cluster.

[root@k8s-master ~]# kubectl get node

NAME STATUS ROLES AGE VERSION

k8s-master Ready master 34h v1.13.3

k8s-node1 Ready <none> 32h v1.13.3

k8s-node2 Ready <none> 4m25s v1.13.3

测试kubernetes集群 在Kubernetes集群中创建一个pod,验证是否正常运行:

kubectl create deployment nginx –image=nginx

kubectl expose deployment nginx –port=80 –type=NodePort

kubectl get pod,svc

[root@k8s-master ~]# kubectl get pod,svc

NAME READY STATUS RESTARTS AGE

pod/nginx-5c7588df-dwbqx 1/1 Running 0 29s

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

service/kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 74m

service/nginx NodePort 10.100.74.188 <none> 80:32020/TCP 12s

[root@k8s-master ~]#

其中有以下关键内容:

生成token记录下来,后边使用kubeadm join往集群中添加节点时会用到

下面的命令是配置常规用户如何使用kubectl(客户端)访问集群,因为master节点也需要使用kubectl访问集群,所以也需要运行以下命令:

mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config kubectl get nodes

[root@localhost ~]# mkdir -p $HOME/.kube

[root@localhost ~]# sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

[root@localhost ~]# sudo chown $(id -u):$(id -g) $HOME/.kube/config

[root@k8s-master ~]# kubectl get nodes

NAME STATUS ROLES AGE VERSION

k8s-master NotReady master 4m23s v1.13.3

k8s-node1 Ready <none> 111s v1.13.3

[root@k8s-master ~]#

6. 安装Pod网络插件(CNI)

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/a70459be0084506e4ec919aa1c114638878db11b/Documentation/kube-flannel.yml

[root@k8s-master ~]# kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/a70459be0084506e4ec919aa1c114638878db11b/Documentation/kube-flannel.yml

clusterrole.rbac.authorization.k8s.io/flannel created

clusterrolebinding.rbac.authorization.k8s.io/flannel created

serviceaccount/flannel created

configmap/kube-flannel-cfg created

daemonset.extensions/kube-flannel-ds-amd64 created

daemonset.extensions/kube-flannel-ds-arm64 created

daemonset.extensions/kube-flannel-ds-arm created

daemonset.extensions/kube-flannel-ds-ppc64le created

daemonset.extensions/kube-flannel-ds-s390x created

[root@k8s-master ~]#

[root@k8s-master ~]# kubectl get cs

NAME STATUS MESSAGE ERROR

controller-manager Healthy ok

scheduler Healthy ok

etcd-0 Healthy {"health": "true"}

[root@k8s-master ~]#

创建一个应用测试

kubectl create deployment nginx –image=nginx kubectl expose deployment nginx –port=80 –type=NodePort kubectl get pod,svc

[root@k8s-master ~]# kubectl create deployment nginx –image=nginx

deployment.apps/nginx created

[root@k8s-master ~]# kubectl expose deployment nginx –port=80 –type=NodePort

service/nginx exposed

[root@k8s-master ~]# kubectl get pod,svc #查看pod和service

NAME READY STATUS RESTARTS AGE

pod/nginx-5c7588df-tmff9 1/1 Running 0 35s

NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

service/kubernetes ClusterIP 10.100.0.1 <none> 443/TCP 9m27s

service/nginx NodePort 10.100.34.146 <none> 80:32016/TCP 18s

[root@k8s-master ~]#

[root@k8s-master ~]# kubectl get pod -o wide #查Pod运行在哪个node

NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES

nginx-5c7588df-dwbqx 1/1 Running 1 32h 10.244.1.82 k8s-node1 <none> <none>

[root@k8s-master ~]#

验证:

容器间访问访问 http://10.100.34.146:80

外部访问: http://nodeip:32016

9. 部署 Dashboard

换阿里源,需要注册并获取地址

[root@k8s-master ~]# cat /etc/docker/daemon.json

{

"registry-mirrors": ["https://9syoriwt.mirror.aliyuncs.com"]

}

[root@k8s-master ~]# systemctl daemon-reload

[root@k8s-master ~]# systemctl restart docker

wget https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

docker search kubernetes-dashboard-amd64:v1.10.1

[root@k8s-master ~]# docker search kubernetes-dashboard-amd64:v1.10.1

NAME DESCRIPTION STARS OFFICIAL AUTOMATED

mirrorgooglecontainers/kubernetes-dashboard-amd64 14

[root@k8s-master ~]# docker pull mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1

v1.10.1: Pulling from mirrorgooglecontainers/kubernetes-dashboard-amd64

63926ce158a6: Pull complete

Digest: sha256:d6b4e5d77c1cdcb54cd5697a9fe164bc08581a7020d6463986fe1366d36060e8

Status: Downloaded newer image for mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1

[root@k8s-master ~]#

默认镜像国内无法访问,修改镜像地址为: mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1

默认Dashboard只能集群内部访问,修改Service为NodePort类型,暴露到外部:

kind: Service

apiVersion: v1

metadata:

labels:

k8s-app: kubernetes-dashboard

name: kubernetes-dashboard

namespace: kube-system

spec:

type: NodePort

ports:

– port: 443

targetPort: 8443

nodePort: 30001

selector:

k8s-app: kubernetes-dashboard

kubectl apply -f kubernetes-dashboard.yaml

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml

docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.0 k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.1

删除node

kubectl delete node swarm1

[root@k8s-master ~]# kubectl get pod –namespace=kube-system

NAME READY STATUS RESTARTS AGE

kubernetes-dashboard-57df4db6b-25ng8 0/1 ContainerCreating 0 9s

[root@k8s-master ~]#

#这两个问题基本都是 无法下载镜像和node的问题,镜像要放在docker生成的节点上面

[root@k8s-master ~]# kubectl get pod –namespace=kube-system

NAME READY STATUS RESTARTS AGE

kubernetes-dashboard-57df4db6b-25ng8 0/1 ImagePullBackOff 0 134m

kubernetes-dashboard-847f8cb7b8-zp89j 0/1 CrashLoopBackOff 1 12s

[root@k8s-master ~]#

解决方法

#默认情况是会根据配置文件中的镜像地址去拉取镜像,如果设置为IfNotPresent 和Never就会使用本地镜像。

IfNotPresent :如果本地存在镜像就优先使用本地镜像。

Never:直接不再去拉取镜像了,使用本地的;如果本地不存在就报异常了。

参数的作用范围:

spec:

containers:

– name: nginx

image: image: reg.docker.lc/share/nginx:latest

imagePullPolicy: IfNotPresent #或者使用Never

发现node 有问题,关掉node后成功, 但仍然无法访问需要加https

[root@k8s-master ~]# kubectl get pod –namespace=kube-system |grep dash

kubernetes-dashboard-76479d66bb-smj7l 1/1 Running 0 5m45s

[root@k8s-master ~]#

访问方式要注意https

https://192.168.10.68:30001/#!/login

创建service account并绑定默认cluster-admin管理员集群角色:

命令:

kubectl create serviceaccount dashboard-admin -n kube-system

kubectl create clusterrolebinding dashboard-admin –clusterrole=cluster-admin –serviceaccount=kube-system:dashboard-admin

kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk ‘/dashboard-admin/{print $1}’)

过程

[root@k8s-master ~]# kubectl create serviceaccount dashboard-admin -n kube-system

serviceaccount/dashboard-admin created

[root@k8s-master ~]# kubectl create clusterrolebinding dashboard-admin –clusterrole=cluster-admin –serviceaccount=kube-system:dashboard-admin

clusterrolebinding.rbac.authorization.k8s.io/dashboard-admin created

[root@k8s-master ~]# kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk ‘/dashboard-admin/{print $1}’)

Name: dashboard-admin-token-tcw9s

Namespace: kube-system

Labels: <none>

Annotations: kubernetes.io/service-account.name: dashboard-admin

kubernetes.io/service-account.uid: 27149d2e-3d1a-11e9-8c59-005056963bc8

Type: kubernetes.io/service-account-token

Data

====

ca.crt: 1025 bytes

namespace: 11 bytes

token: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdGN3OXMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMjcxNDlkMmUtM2QxYS0xMWU5LThjNTktMDA1MDU2OTYzYmM4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.UxfBnISzZD5JP_BFd9R3nrXSdlodSQaPX4bNM7g2TKuXRN3rzAdfCCp8ehj1BLxMcWSFFD9TzhEBsQNh5hxdV1mYgC9g5Z6suqAsCzqgYz6nzy95lEttp62O9xb_H-dLPJC4SbrO27ezCCBJVoLqDgkuJPAOZFhx31LayiiWLGqOXIBTslDAm5JMSNChHQpnbUtb_3kqdsLmCkcFdk-VtmHS8lHZOJt20eiwb4Q4KqRggjn8oj-cNvB1MQZrObZM_bB10kFV8JiKaOIq6yw6LqERevEwSz-qhMGxfQfE1Wa14d7ia-9qpPMFp8CXwzwZ6RxTYJI6QYFVn_MhdL5jnQ

[root@k8s-master ~]#

如果token忘了咋办:方法如下

[root@k8s-master ~]# kubectl -n kube-system get secret | grep dashboard-admin

dashboard-admin-token-tcw9s kubernetes.io/service-account-token 3 33h

[root@k8s-master ~]#

[root@k8s-master ~]# kubectl describe -n kube-system secret/dashboard-admin-token-tcw9s

Data

====

ca.crt: 1025 bytes

namespace: 11 bytes

token: #这里就是

##eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tdGN3OXMiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMjcxNDlkMmUtM2QxYS0xMWU5LThjNTktMDA1MDU2OTYzYmM4Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.UxfBnISzZD5JP_BFd9R3nrXSdlodSQaPX4bNM7g2TKuXRN3rzAdfCCp8ehj1BLxMcWSFFD9TzhEBsQNh5hxdV1mYgC9g5Z6suqAsCzqgYz6nzy95lEttp62O9xb_H-dLPJC4SbrO27ezCCBJVoLqDgkuJPAOZFhx31LayiiWLGqOXIBTslDAm5JMSNChHQpnbUtb_3kqdsLmCkcFdk-VtmHS8lHZOJt20eiwb4Q4KqRggjn8oj-cNvB1MQZrObZM_bB10kFV8JiKaOIq6yw6LqERevEwSz-qhMGxfQfE1Wa14d7ia-9qpPMFp8CXwzwZ6RxTYJI6QYFVn_MhdL5jnQ

[root@k8s-master ~]#

—-查看命令

kubectl get all

kubectl get svc #service

kubectl get ns #namespace

kubectl get pod -o wide #查看支运行在哪个节点

——–查看及排错

kubeadm 生成的token过期后,集群增加节点

解决方法如下:

重新生成新的token

[root@walker-1 kubernetes]# kubeadm token create

[kubeadm] WARNING: starting in 1.8, tokens expire after 24 hours by default (if you require a non-expiring token use –ttl 0)

aa78f6.8b4cafc8ed26c34f

[root@walker-1 kubernetes]# kubeadm token list

TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS

aa78f6.8b4cafc8ed26c34f 23h 2017-12-26T16:36:29+08:00 authentication,signing <none> system:bootstrappers:kubeadm:default-node-token

获取ca证书sha256编码hash值

[root@walker-1 kubernetes]# openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed ‘s/^.* //’

0fd95a9bc67a7bf0ef42da968a0d55d92e52898ec37c971bd77ee501d845b538

节点加入集群

[root@walker-4 kubernetes]# kubeadm join –token aa78f6.8b4cafc8ed26c34f –discovery-token-ca-cert-hash sha256:0fd95a9bc67a7bf0ef42da968a0d55d92e52898ec37c971bd77ee501d845b538 172.16.6.79:6443 –skip-preflight-checks

查看 namespace 里的pod

[root@k8s-master ~]# kubectl describe pod –namespace=kube-system kubernetes-dashboard-76479d66bb-pxgtf

Events:

Type Reason Age From Message

—- —— —- —- ——-

Normal Scheduled 31s default-scheduler Successfully assigned kube-system/kubernetes-dashboard-76479d66bb-gbsn9 to k8s-node1

Normal Pulled 6s (x3 over 30s) kubelet, k8s-node1 Container image "mirrorgooglecontainers/kubernetes-dashboard-amd64:v1.10.1" already present on machine

Normal Created 6s (x3 over 30s) kubelet, k8s-node1 Created container

Normal Started 6s (x3 over 30s) kubelet, k8s-node1 Started container

Warning BackOff 0s (x5 over 26s) kubelet, k8s-node1 Back-off restarting failed container

kubernetes—dashboardv1.8.3版本安装详细步骤

http://www.525.life/article?id=1510739742372

kubernetes—CentOS7安装kubernetes1.11.2图文完整版

http://www.525.life/article?id=1510739742331

http://dockone.io/article/2247

-----------拉取被屏蔽的docker image

将 k8s.gcr.io 替换成registry.cn-hangzhou.aliyuncs.com/google_containers/ 即可

[root@k8s-master heapster]# grep gcr.io *

grafana.yaml: image: k8s.gcr.io/heapster-grafana-amd64:v5.0.4

heapster.yaml: image: k8s.gcr.io/heapster-amd64:v1.5.4

influxdb.yaml: image: k8s.gcr.io/heapster-influxdb-amd64:v1.5.2

[root@k8s-master heapster]# docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/heapster-grafana-amd64:v5.0.4

文章出自:CCIE那点事 http://www.jdccie.com/ 版权所有。本站文章除注明出处外,皆为作者原创文章,可自由引用,但请注明来源。 禁止全文转载。
本文链接:http://www.jdccie.com/?p=4067转载请注明转自CCIE那点事
如果喜欢:点此订阅本站
  • 相关文章
  • 为您推荐
  • 各种观点

暂时还木有人评论,坐等沙发!
发表评论

您必须 [ 登录 ] 才能发表留言!