CentOS7 k3s安装与配置

0 官方文档

https://docs.k3s.io/zh/quick-start

1 安装

curl -sfL https://get.k3s.io | sh -
# 或
curl -sfL https://rancher-mirror.oss-cn-beijing.aliyuncs.com/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn sh -
1
2
3

INSTALL_K3S_VERSION：安装指定版本

curl -sfL https://rancher-mirror.oss-cn-beijing.aliyuncs.com/k3s/k3s-install.sh | INSTALL_K3S_VERSION=v1.26.9+k3s1 sh -
1

2 命令行支持tab自动补全

echo 'source <(kubectl completion bash)' >> ~/.bashrc
1

断开连接，再次连接，即可生效

如果报错：-bash: _get_comp_words_by_ref: command not found

安装bash-completion：

yum -y install bash-completion

source /usr/share/bash-completion/bash_completion
1
2
3

3 验证

部署一个 nginx 进行测试

#部署nginx
kubectl create deployment nginx --image=nginx:1.18-alpine

#暴露端口
kubectl expose deployment nginx --port=80 --type=NodePort

kubectl get pod,svc
1
2
3
4
5
6
7

防火墙放行对应端口即可

systemctl status firewalld

firewall-cmd --list-ports

firewall-cmd --zone=public --add-port={NodePort}/tcp --permanent

firewall-cmd --reload
1
2
3
4
5
6
7

4 获取真实IP

参考：https://blog.csdn.net/easylife206/article/details/111243763

4.1 NortPort 方式

service发布为NortPort，同时修改externalTrafficPolicy为Local

kubectl patch svc myservice  -p '{"spec":{"externalTrafficPolicy":"Local"}}'
1

4.2 Ingress 方式

在k3s中，设置traefik的externalTrafficPolicy为Local，此时service就可以不做处理了，也可以不用发布为NortPort（域名访问时）

kubectl -n kube-system patch svc traefik  -p '{"spec":{"externalTrafficPolicy":"Local"}}'
1

5 cert-manager 颁发ssl证书

参考：https://blog.csdn.net/j610152753/article/details/127581375

5.1 准备

• k8s（k3s）集群环境
• 有效的域名(如果是国内云服务器还需要备案)
• 一个可登录的邮箱

5.2 部署cert-manager

直接使用kubectl安装

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.yaml
1

运行如下命令可看到创建了3个pod，并STATUS为：Running

kubectl get pods --namespace cert-manager
1

5.3 配置ClusterIssuer

创建clusterIssuer.yml并部署

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: 【此处修改为邮箱】
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
      - http01:
          ingress:
            class: traefik
1
2
3
4
5
6
7
8
9
10
11
12
13
14

kubectl apply -f clusterIssuer.yml
1

5.4 测试

Deployment、Service正常创建即可，Ingress新增两处配置：metadata.annotations、spec.tls，例如：

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: traefik
  labels:
    k8s.kuboard.cn/layer: web
    k8s.kuboard.cn/name: hexo-blog
  name: hexo-blog
  namespace: default
  resourceVersion: '232211'
spec:
  ingressClassName: traefik
  rules:
    - host: blog.extra.kangaroohy.com
      http:
        paths:
          - backend:
              service:
                name: hexo-blog
                port:
                  number: 80
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - blog.extra.kangaroohy.com
      secretName: hexo-blog-tls
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

6 自动跳转 https

6.1 创建Middleware

中间件的介绍和使用：https://blog.csdn.net/j610152753/article/details/127251204

vi redirect-https.yaml

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
spec:
  redirectScheme:
    scheme: https
    permanent: true
1
2
3
4
5
6
7
8

6.2 配置Ingress

添加注解traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd

default是Middleware所在的命名空间

redirect-https为Middleware的name