- 初步搭建一个一个主节点和两个从节点Kubernetes 1.28.2 集群。先准备好机器
| host | hostname | os | role | hardware |
|---|---|---|---|---|
| 192.168.31.200 | master01 | centos7.9 | control-plane | cpu:2c 内存: 3G 硬盘1:50G |
| 192.168.31.201 | node01 | centos7.9 | worker | cpu:2c 内存: 3G 硬盘1:50G 硬盘2:50G |
| 192.168.31.202 | node02 | centos7.9 | worker | cpu:2c 内存: 3G 硬盘1:50G 硬盘2:50G |
- 预留了201、103节点,后续扩容集群做control-plane节点高可用。
- 所有work节点各分配一块50硬盘,后续做ceph存储用。
1. 基础环境准备
- 所有节点全部执行环境初始化,(后面如果要给集群新增节点也要做这个操作)
- 所有节点按照表格修改主机名
1、所有节点全部关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
systemctl is-enabled firewalld
2、配置ntp server同步时间
ntpdate ntp1.aliyun.com
vi /etc/crontab
1 * * * * root /usr/sbin/ntpdate ntp1.aliyun.com && /sbin/hwclock -w
3、永久关闭selinux
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
setenforce 0
4、关闭swap分区
sed -i '/swap/s/^/#/g' /etc/fstab
swapoff -a
5、配置hosts
[root@master01 ~]# cat >>/etc/hosts <
192.168.31.200 master01
192.168.31.201 node01
192.168.31.202 node02
EOF
6、内核升级
简介: centos7 yum工具在线升级内核
1、查看当前内核版本
[root@master01 ~]# uname -a
Linux localhost.localdomain 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
2、导入ELPepo仓库公共密钥
rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
3、安装ELPepo的仓库yum源
rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
4、选择lt版本安装
- lt长期维护版
- ml最新稳定版
yum -y --enablerepo=elrepo-kernel install kernel-lt
5、设置内核默认启动
sudo awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
grub2-set-default 0
6、重启
reboot
7、查看内核版本
[root@master01 ~]# uname -a
Linux localhost.localdomain 4.4.244-1.el7.elrepo.x86_64 #1 SMP Tue Nov 17 18:57:10 EST 2020 x86_64 x86_64 x86_64 GNU/Linux
2. 配置Kubernetes运行环境
- 下面的操作所有节点全部执行,后面如果要给集群新增节点也要做这个操作
1、配置内核参数
cat > /etc/sysctl.d/Kubernetes.conf <<EOF
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
vm.swappiness = 0
EOF
# 使配置生效
sysctl --system
这些配置参数的含义是:
net.bridge.bridge-nf-call-ip6tables = 1:当通过桥接网络接收到IPv6数据包时,将调用ip6tables的规则进行处理。net.bridge.bridge-nf-call-iptables = 1:当通过桥接网络接收到IPv4数据包时,将调用iptables的规则进行处理。net.ipv4.ip_forward = 1:允许IPv4的数据包转发,即使数据包的目标不是本机。vm.swappiness = 0: vm.swappiness是操作系统控制物理内存交换出去的策略。它允许的值是一个百分比的值,最小为0,最大运行100,该值默认为60。vm.swappiness设置为0表示尽量少swap,100表示尽量将inactive的内存页交换出去。
Kubernetes通过iptables实现服务发现和网络流量路由,pod通信。这一步很重要。没有设置的话会导致集群网络通信故障,如pod无法通信。核模块
yum -y install conntrack ipvsadm ipset jq iptables curl sysstat libseccomp wget vim net-tools git
# 相关内核模块
cat > /etc/modules-load.d/ipvs.conf <<EOF
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
nf_conntrack
EOF
# 启动服务
systemctl enable --now systemd-modules-load
ip_vs,ip_vs_rr,ip_vs_wrr,ip_vs_sh是IPVS相关的内核模块。它们提供了不同的负载均衡算法(round-robin,加权轮询,最短任务优先)。nf_conntrack和nf_conntrack_ipv4是用于网络连接跟踪的内核模块,这在防火墙和NAT中非常重要。- linux kernel 4.19版本已经将nf_conntrack_ipv4 更新为 nf_conntrack
3、重启系统
[root@master01 ~]# reboot
# 检查是否加载成功
lsmod |egrep "ip_vs|nf_conntrack_ipv4"
nf_conntrack_ipv4 15053 26
nf_defrag_ipv4 12729 1 nf_conntrack_ipv4
ip_vs_sh 12688 0
ip_vs_wrr 12697 0
ip_vs_rr 12600 0
ip_vs 145458 6 ip_vs_rr,ip_vs_sh,ip_vs_wrr
nf_conntrack 139264 10 ip_vs,nf_nat,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,nf_nat_masquerade_ipv4,nf_nat_masquerade_ipv6,nf_conntrack_netlink,nf_conntrack_ipv4,nf_conntrack_ipv6
libcrc32c 12644 4 xfs,ip_vs,nf_nat,nf_conntrack
4、安装 containerd
-
顺便介绍一下历史背景。早期docker势大,但docker没有实现CRI,Kubernetes只能用dockershim做适配器来兼容docker,使其可以接入cri,这个dockershim在Kubernetes1.24版本就被放弃维护了。containerd是从docker中分离出来的开源项目,强调简单性、健壮性和可移植性。它负责以下工作
-
管理容器的生命周期(从创建容器到销毁容器)
-
拉取/推送容器镜像
-
存储管理(管理镜像及容器数据的存储)
-
调用 runc 运行容器(与 runc 等容器运行时交互,runc是oci 开放容器标准的一个实现。oci就是创建容器需要做一些 namespaces 和 cgroups 的配置,以及挂载 root 文件系统等操作的规范)
-
管理容器网络接口及网络
yum -y install yum-utils device-mapper-persistent-data lvm2
# 添加阿里源
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 配置 containerd
cat >>/etc/modules-load.d/containerd.conf <<EOF
overlay
br_netfilter
EOF
# 立刻加载 overlay模块
modprobe overlay
# 立刻加载 br_netfilter模块
modprobe br_netfilter
# 安装containerd
yum install containerd.io -y
overlay是一个文件系统类型,它支持在不改变底层文件的情况下,将改动保存在另一个分离的文件层。它常用于 Docker 和其他容器运行时中,用来创建容器的文件系统。(写时复制)br_netfilter是一个网络相关的内核模块,它允许 iptables 和其他网络工具对桥接流量进行过滤。这在 Kubernetes 网络设置中很重要,特别是在使用 overlay 网络(如 flannel、Calico 等)时。
5、配置containerd
mkdir -p /etc/containerd
containerd config default > /etc/containerd/config.toml
# 使用systemd管理cgroups
sed -i '/SystemdCgroup/s/false/true/g' /etc/containerd/config.toml
# 配置sadnbox image从阿里云拉取
sed -i '/sandbox_image/s/registry.k8s.io/registry.aliyuncs.com\/google_containers/g' /etc/containerd/config.toml
sed -i 's#sandbox_image = "registry.k8s.io/pause:3.6"#sandbox_image = "registry.aliyuncs.com/google_containers/pause:3.9"#' /etc/containerd/config.toml
# 启动containerd
systemctl enable containerd
systemctl start containerd
3、安装kubeamd、kubelet、kubectl
- 下面的操作所有节点全部执行,后面如果要给集群新增节点也要做这个操作
1、添加阿里源
cat >/etc/yum.repos.d/kubernetes.repo <<EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
2、安装并启动
# 查看可用版本
yum list kubelet --showduplicates |grep 1.28
# 开始安装 这篇文档写下时,最新版本为1.28.2 我直接安装的最新版
yum -y install kubectl-1.28.2 kubelet-1.28.2 kubeadm-1.28.2
# 启动
systemctl enable kubelet
systemctl start kubelet
4、部署control-plane节点
- 以下操作只在control-plane节点执行
1、使用kubeadm初始化
# 查看所需镜像
[root@master01 ~]# kubeadm config images list --kubernetes-version=v1.28.2
registry.k8s.io/kube-apiserver:v1.28.2
registry.k8s.io/kube-controller-manager:v1.28.2
registry.k8s.io/kube-scheduler:v1.28.2
registry.k8s.io/kube-proxy:v1.28.2
registry.k8s.io/pause:3.9
registry.k8s.io/etcd:3.5.7-0
registry.k8s.io/coredns/coredns:v1.10.1
# 初始化
[root@master01 ~]# kubeadm init --kubernetes-version=1.28.2 \
--apiserver-advertise-address=192.168.31.200 \
--image-repository registry.aliyuncs.com/google_containers \
--pod-network-cidr=172.16.0.0/16
apiserver-advertise-address写control-plane的ippod-network-cidr写个不冲突的网段image-repository指定从阿里云拉取镜像
命令执行完成后会返回一长段内容,主要看最后部分
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
Alternatively, if you are the root user, you can run:
export KUBECONFIG=/etc/kubernetes/admin.conf
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join 192.168.96.101:6443 --token l906wz.0fydt3hcfbogwlo9 \
--discovery-token-ca-cert-hash sha256:2604d3aab372a483b26bcbdafdb54d7746226975c3a317db07d94eccdfca51be
- 按提示操作配置认证
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
export KUBECONFIG=/etc/kubernetes/admin.conf
- 检查
[root@master01 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
control-plane01 NotReady control-plane 50s v1.28.2
[root@master01 ~]# kubectl get pods -A
[root@master01 ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-7bdc4cb885-fs2tz 1/1 Pending 0 13d
coredns-7bdc4cb885-wk7c9 1/1 Pending 0 13d
etcd-control-plane01 1/1 Running 0 13d
kube-apiserver-control-plane01 1/1 Running 0 13d
kube-controller-manager-control-plane01 1/1 Running 0 13d
kube-proxy-mfzmq 1/1 Running 3 (25h ago) 13d
kube-scheduler-control-plane01 1/1 Running 0 13d
- 加入集群token过期或者遗忘,获取加入集群命令
kubeadm token create --print-join-command
2、部署calico
1、安装calico网络插件
wget https://docs.projectcalico.org/manifests/calico.yaml
改为10.244.0.0/16
2、指定网卡
# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
value: "k8s,bgp"
# 下面添加
- name: IP_AUTODETECTION_METHOD
value: "interface=eth0"
# eth0为本地网卡名字
- calico 自动探查互联网卡,如果有多快网卡,则可以配置用于互联的网络接口命名正则表达式,如上面的 eth0 (根据自己服务器的网络接口名修改);不指定网卡
- 创建pod时会有如下报错
Failed to create pod sandbox: rpc error: code = Unknown desc = [failed to set up sandbox container "5d6557ac061d164d494042e7e9b6cc38c95688a358275a78f5bbb7dd3883c063" network for pod "ingress-nginx-admission-create-b9q9w": networkPlugin cni failed to set up pod "ingress-nginx-admission-create-b9q9w_ingress-nginx" network: error getting ClusterInformation: connection is unauthorized: Unauthorized, failed to clean up sandbox container "5d6557ac061d164d494042e7e9b6cc38c95688a358275a78f5bbb7dd3883c063" network for pod "ingress-nginx-admission-create-b9q9w": networkPlugin cni failed to teardown pod "ingress-nginx-admission-create-b9q9w_ingress-nginx" network: error getting ClusterInformation: connection is unauthorized: Unauthorized]
3、部署
kubectl apply -f calico.yaml
# 检查
[root@master01 ~]# kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-6849cf9bcf-gv6xx 1/1 Running 0 13d
calico-node-2d7xx 1/1 Running 0 13d
coredns-7bdc4cb885-fs2tz 1/1 Running 0 13d
coredns-7bdc4cb885-wk7c9 1/1 Running 0 13d
etcd-control-plane01 1/1 Running 0 13d
kube-apiserver-control-plane01 1/1 Running 0 13d
kube-controller-manager-control-plane01 1/1 Running 0 13d
kube-proxy-mfzmq 1/1 Running 3 (25h ago) 13d
kube-scheduler-control-plane01 1/1 Running 0 13d
5、worker节点加入集群
# 所有worker节点都执行
kubeadm join 192.168.31.200:6443 --token l906wz.0fydt3hcfbogwlo9 \
--discovery-token-ca-cert-hash sha256:2604d3aab372a483b26bcbdafdb54d7746226975c3a317db07d94eccdfca51be
# 查看状态
[root@master01 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
control-plane01 Ready control-plane 13d v1.28.2
node01 Ready 13d v1.28.2
node02 Ready 13d v1.28.2
node03 Ready 13d v1.28.2
6、Kubernetes dashboard 安装
1、安装命令补全
yum -y install bash-completion
echo "source <(kubectl completion bash)" >> /etc/profile
source /etc/profile
2、kubernetes-dashboard安装(可选,kubesphere更好用)
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v3.0.0-alpha0/charts/kubernetes-dashboard.yaml
- 修改如下内容
kind: Service
apiVersion: v1
metadata:
labels:
Kubernetes-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
type: NodePort # 增加内容
ports:
- port: 443
targetPort: 8443
nodePort: 30000 # 增加内容(端口范围30000-32767)
selector:
Kubernetes-app: kubernetes-dashboard
# 安装
kubectl apply -f recommended.yaml
# 查看进度
[root@master01 ~]# kubectl get all -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
pod/dashboard-metrics-scraper-5cb4f4bb9c-h549p 1/1 Running 3 (26h ago) 13d
pod/kubernetes-dashboard-6967859bff-cm4tl 1/1 Running 4 (26h ago) 13d
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/dashboard-metrics-scraper ClusterIP 10.108.31.72 - 创建admin用户
[root@master01 ~]# vim admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin
namespace: kubernetes-dashboard
---
apiVersion: v1
kind: Secret
metadata:
name: kubernetes-dashboard-admin
namespace: kubernetes-dashboard
annotations:
kubernetes.io/service-account.name: "admin"
type: kubernetes.io/service-account-token
# 创建admin用户token
kubectl -n kubernetes-dashboard create token admin
# 获取token
Token=$(kubectl -n kubernetes-dashboard get secret |awk '/kubernetes-dashboard-admin/ {print $1}')
kubectl describe secrets -n kubernetes-dashboard ${Token} |grep token |awk 'NR==NF {print $2}'
- 然后就可以使用token登陆了,地址是 集群任意节点IP:30000
7、Kubernetes metrics-server 插件部署
1、metrics-server 介绍
- heapster已经被metrics-server取代,如果使用kubernetes的自动扩容功能的话,那首先得有一个插件,然后该插件将收集到的信息(cpu、memory..)与自动扩容的设置的值进行比对,自动调整pod数量。关于该插件,在kubernetes的早些版本中采用的是heapster,1.13版本正式发布后,丢弃了heapster,官方推荐采用metrics-sever。
- metrics server为Kubernetes自动伸缩提供一个容器资源度量源。metrics-server 从 kubelet 中获取资源指标,并通过 Metrics API 在 Kubernetes API 服务器中公开它们,以供 HPA 和 VPA 使用。
2、安装步骤
1、获取yaml文件。
wget https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml -O metrics-server.yaml
- 编辑yaml文件。之前部署集群用的自签名证书,metrics-server直接请求kubelet接口会证书校验失败,因此deployment中增加- --kubelet-insecure-tls参数。另外镜像原先在registry.k8s.io,国内下载不方便,下面的配置中修改成了国内镜像仓库地址。内网环境中可以先下载,然后再推到内网镜像仓库,镜像也改成内网镜像地址。
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
k8s-app: metrics-server
name: metrics-server
namespace: kube-system
spec:
# ...
template:
spec:
containers:
- args:
- --cert-dir=/tmp
- --secure-port=4443
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-use-node-status-port
- --metric-resolution=15s
- --kubelet-insecure-tls # 需要新加的一行
image: registry.cn-hangzhou.aliyuncs.com/rainux/metrics-server:v0.6.4
2、安装发布
kubectl apply -f metrics-server.yaml
# 查看是否在运行
kubectl get pods -n kube-system | grep metrics
# 获取集群的指标数据
kubectl get --raw /apis/metrics.k8s.io/v1beta1 | python3 -m json.tool
根据输出可见,集群提供nodes和pods的资源指标。
{
"kind": "APIResourceList",
"apiVersion": "v1",
"groupVersion": "metrics.k8s.io/v1beta1",
"resources": [
{
"name": "nodes",
"singularName": "",
"namespaced": false,
"kind": "NodeMetrics",
"verbs": [
"get",
"list"
]
},
{
"name": "pods",
"singularName": "",
"namespaced": true,
"kind": "PodMetrics",
"verbs": [
"get",
"list"
]
}
]
}
3、测试验证
#1-2分钟后查看结果
[root@master01 ~]# kubectl top nodes
NAME CPU(cores) CPU% MEMORY(bytes) MEMORY%
k8s-master 256m 12% 2002Mi 52%
k8s-node1 103m 5% 1334Mi 34%
k8s-node2 144m 7% 1321Mi 34%
4、top命令
- kubectl top命令用来查看node节点和pod的资源使用情况。
# 查看 top 命令的帮助
kubectl top --help
# 查看node节点的资源使用情况
kubectl top node
# 查看pod的资源使用情况
kubectl top pod
# 查看所有命名空间的pod资源使用情况
kubectl top pod -A
- 再回到dashboard界面可以看到CPU和内存使用情况了:
源码
5、导出认证添加配置
[root@k8s-master01 dashboard]# vim /root/.kube/config # 增加 token 内容
- name: admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQxekNDQXIrZ0F3SUJBZ0lVTFFhcXpaaitVc0tRU1BiWVlMRmxDWnhDZVBNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1lURUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0VoaGJtZGFhRzkxTVFzd0NRWURWUVFIRXdKWQpVekVNTUFvR0ExVUVDaE1EYXpoek1ROHdEUVlEVlFRTEV3WlRlWE4wWlcweEV6QVJCZ05WQkFNVENtdDFZbVZ5CmJtVjBaWE13SUJjTk1qQXdOREU1TURVeE1UQXdXaGdQTWpBM01EQTBNRGN3TlRFeE1EQmFNR2N4Q3pBSkJnTlYKQkFZVEFrTk9NUkV3RHdZRFZRUUlFd2hJWVc1bldtaHZkVEVMTUFrR0ExVUVCeE1DV0ZNeEZ6QVZCZ05WQkFvVApEbk41YzNSbGJUcHRZWE4wWlhKek1ROHdEUVlEVlFRTEV3WlRlWE4wWlcweERqQU1CZ05WQkFNVEJXRmtiV2x1Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeG1MWWxNQXFEeGVreXljWWlvQXUKU2p5VzhiUCtxTzF5bUhDWHVxSjQ3UW9Vd0lSVEFZdVAyTklQeFBza04xL3ZUeDBlTjFteURTRjdYd3dvTjR5cApacFpvRjNaVnV1NFNGcTNyTUFXT1d4VU93REZNZFZaSkJBSGFjZkdMemdOS01FZzRDVDhkUmZBUGxrYVdxNkROCmJKV3JYYW41WGRDUnE2NlpTdU9lNXZXTWhENzNhZ3UzWnBVZWtHQmpqTEdjNElTL2c2VzVvci9LeDdBa0JuVW0KSlE3M2IyWUl3QnI5S1ZxTUFUNnkyRlhsRFBpaWN1S0RFK2tGNm9leG04QTljZ1pKaDloOFZpS0trdnV3bVh5cwpNREtIUzJEektFaTNHeDVPUzdZR1ZoNFJGTGp0VXJuc1h4TVBtYWttRFV1NkZGSkJsWlpkUTRGN2pmSU9idldmCjlRSURBUUFCbzM4d2ZUQU9CZ05WSFE4QkFmOEVCQU1DQmFBd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUF3R0ExVWRFd0VCL3dRQ01BQXdIUVlEVlIwT0JCWUVGS1pCcWpKRldWejZoV1l1ZkZGdApHaGJnQ05MU01COEdBMVVkSXdRWU1CYUFGQWJLKzBqanh6YUp3R1lGYWtpWVJjZzZENkpmTUEwR0NTcUdTSWIzCkRRRUJDd1VBQTRJQkFRQ05Ra3pueDBlSDU3R2NKZTF5WUJqNkY4YmVzM2VQNGRWcUtqQVZzSkh6S3dRWnpnUjIKcnVpMmdZYTZjdWNMNGRWVllHb05mRzRvdWI0ekJDTUIzZkRyN2FPRFhpcGcrdWx3OFpRZGRaN3RIYnZRTlIyMApTTHhnWnlFYU9MSFdmRVNYNFVJZk1mL3pDaGZ0Yzdhb1NpcUNhMGo2NmY2S3VVUnl6SSsxMThqYnpqK1gwb1d1ClVmdVV3dk5xWHR5ZjlyUTVWQW40bjhiU25nZDBGOXgzNFlyeUNMQ0REOWdBaWR3SDlVM3I3eVVGQ1Rkbm9leEgKSTgyYjRLdHZzT2NGMk5Dd21WZDFBWDNJSEFmMENRMEZSQ21YWjF3aFNxd1lFeVAxTStMMEcxN29CTmU5cmttMwo4U0NyWjczaWtiN0k1NXlVOWRrMjdXbVByb1hXMjAvcXhHeDYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBeG1MWWxNQXFEeGVreXljWWlvQXVTanlXOGJQK3FPMXltSENYdXFKNDdRb1V3SVJUCkFZdVAyTklQeFBza04xL3ZUeDBlTjFteURTRjdYd3dvTjR5cFpwWm9GM1pWdXU0U0ZxM3JNQVdPV3hVT3dERk0KZFZaSkJBSGFjZkdMemdOS01FZzRDVDhkUmZBUGxrYVdxNkROYkpXclhhbjVYZENScTY2WlN1T2U1dldNaEQ3MwphZ3UzWnBVZWtHQmpqTEdjNElTL2c2VzVvci9LeDdBa0JuVW1KUTczYjJZSXdCcjlLVnFNQVQ2eTJGWGxEUGlpCmN1S0RFK2tGNm9leG04QTljZ1pKaDloOFZpS0trdnV3bVh5c01ES0hTMkR6S0VpM0d4NU9TN1lHVmg0UkZManQKVXJuc1h4TVBtYWttRFV1NkZGSkJsWlpkUTRGN2pmSU9idldmOVFJREFRQUJBb0lCQVFDdkRPRld3QWxjcjl3MQpkaFh0Z0JWWVpBWTgyRHBKRE53bExwUnpscEZsZDVQQUhBS3lSbGR6VmtlYjVJNmNYZ1pucEtYWTZVaDIxYWhxCndldHF1Szl4V2g0WE5jK0gxaklYMlBiQnRPVmI4VVRHeWJsUmdBV0ZoNjBkQmFuNjZtUTRIa0Z6eDBFcFNSNDMKMTZselg3eGpwOTFDRkkxNC9tVExQSkQreDhLYXYxcDVPU1BYQkxhdzR6V1JycmFVSnFrVUtZcmRJUVlkNC9XQQpLNVp3WGpRdklpZzlGclArb2Fnb1kyelFzODFXMmlVd1pXanhkQnV0dXZiQW5mVEc0ZkQvUjc3MnNzUU44dkFvCldDUGpTcTlLckJZQzJYaWd5L2JkSHFFT3lpSmxUQVpaazZLQXlBN0ExbCs5WDFSOWxyUTFPTkpOS1k5WWRybTIKajFudW1WSXhBb0dCQU5sS3B4MW9tQVBQK0RaOGNMdjkwZDlIWm1tTDJZYkppUUtNdEwrUTJLKzdxZHNwemtOaQorb1J2R0NOR0R1U3JZbDZwWjFDMk0xajkxNXJwbWFrZmJmV2NDRWtKenlVRjhSMzUyb2haMUdYeWQzcmkxMWxqCndpcnlmcHl2QnF1SWlKYWR4Rk1UdGRoTmFuRTNFeURrSVJ0UW03YXcyZHppUnNobHkxVXFGMEYvQW9HQkFPbTYKQjFvbnplb2pmS0hjNnNpa0hpTVdDTnhXK2htc1I4akMxSjVtTDFob3NhbmRwMGN3ekJVR05hTDBHTFNjbFRJbwo4WmNNeWdXZU1XbmowTFA3R0syVUwranlyK01xVnFkMk1PRndLanpDOHNXQzhTUEovcC96ZWZkL2ZSUE1PamJyCm8rMExvblUrcXFjTGw1K1JXQ2dJNlA1dFo2VGR5eTlWekFYVUV2Q0xBb0dBQjJndURpaVVsZnl1MzF5YWt5M3gKeTRTcGp3dC9YTUxkOHNKTkh3S1hBRmFMVWJjNUdyN3kvelN5US9HTmJHb1RMbHJqOUxKaFNiVk5kakJrVm9tRgp2QXVYbExYSzQ5NHgrKzJhYjI5d2VCRXQxWGlLRXJmOTFHenp0KytYY0oxMDJuMkNSYnEwUmkxTlpaS1ZDbGY4CmNPdnNndXZBWVhFdExJT2J6TWxraFkwQ2dZRUEyUnFmOGJLL3B4bkhqMkx5QStYT3lMQ1RFbmtJWUFpVHRYeWsKbTI0MzFGdUxqRW9FTkRDem9XUGZOcnFlcUVZNm9CbEFNQnNGSFNyUW81ZW1LVWk0cDZQYXpQdUJQZlg2QUJ2ZApVOHNvc01BMVdocERmQWNKcWZJei9SNURSTHlUNXFnRDRSREptemJXdGN3aXoybm5CV2toWkJTa0RaU29SQlBpCkxCZk9iL2tDZ1lFQXk1ZS9MaXgzSzVvdHhGRC8xVVV0cGc2dEJqMksxVkg5bDJJWFBidmFKMjZQYnZWYkEwQTUKM0Z5UmZnSTlZTTc3T3QxbTY0ZlRTV21YdTJKU0JpM3FFQ2xic3FRT2taZXZ1V2VsSVY5WnhWblc5NVMzMHVuUwp0ZEk3ZDVTUm1OSUpWK0l1Mk9IRGxkYXN4TzJmcVFoTnVxSFRiVStvNW42ZCtUUlpXVTdpN0drPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
token: JSUzI1NiIsImtpZCI6Ikg5dThGMmc0c1ZBOTVkajVjMGRlb2poZjJMaExDSFp1T1NJWTdobkYtWmsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTRsYzkyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiNjc2MGRkZi1kN2FhLTRlZjctYWZkOS05YzA0ZThlMWE5NTQiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06YWRtaW4tdXNlciJ9.XCA6-Wo7q8tJY8td1PRGkruvuNOmtHenjzyToRq5fJjGmWjdLspMDRvDul7YjMeY5eNuhcMG1cJgnyTZZW4gypIiVK1cAtvNR-U4oS0Vv8PqknZdc5-U1ftjIUeayH33tPCAgj-rui31CTwg26s0Z0B312XHF6tLOZZYxkavd1zYVt7DJaJcJpVsC1yaagoLBTjrfpV42N2s49QxnXMaQwYJGy2vowbLcxekdOV2h-7Hv63DxqBRoFYNx_DawN2m3JFfIyQMP7lwENXvNK76wnY2boO8asbIS92V4poLnc9v0r4gtV80dFp3558_XYBWhnZq-_klFHsfxJ0Opt_iEA
# 导出
cp /root/.kube/config /data/dashboard/k8s-dashboard.kubeconfig
sz k8s-dashboard.kubeconfig
6、用文件认证登录
8、Kubernetes KuBoard 可视化部署(可选)
1、KuBoard 简介
Kuboard是一款免费的 Kubernetes 管理工具,提供了丰富的功能,结合已有或新建的代码仓库、镜像仓库、CI/CD工具等,可以便捷的搭建一个生产可用的 Kubernetes 容器云平台,轻松管理和运行云原生应用。您也可以直接将 Kuboard 安装到现有的 Kubernetes 集群,通过 Kuboard 提供的 Kubernetes RBAC 管理界面,将 Kubernetes 提供的能力开放给您的开发团队。
2、Kuboard 提供的功能有
-
Kubernetes 基本管理功能
-
节点管理
-
名称空间管理
-
存储类/存储卷管理
-
控制器(Deployment/StatefulSet/DaemonSet/CronJob/Job/ReplicaSet)管理
-
Service/Ingress 管理
-
ConfigMap/Secret 管理
-
CustomerResourceDefinition 管理
-
Kubernetes 问题诊断
-
Top Nodes / Top Pods
-
事件列表及通知
-
容器日志及终端
-
KuboardProxy (kubectl proxy 的在线版本)
-
PortForward (kubectl port-forward 的快捷版本)
-
复制文件 (kubectl cp 的在线版本)
-
认证与授权
-
Github/GitLab 单点登录
-
KeyCloak 认证
-
LDAP 认证
-
完整的 RBAC 权限管理
-
Kuboard 特色功能
-
Grafana+Prometheus 资源监控
-
Grafana+Loki+Promtail 日志聚合
-
Kuboard 官方套件
-
Kuboard 自定义名称空间布局
-
Kuboard 中英文语言包
3、Kuboard 部署
KuBord官网:https://kuboard.cn/install/v3/install-in-k8s.html#%E5%AE%89%E8%A3%85
提供的安装命令如下:(支持1.27)
KuBord官网:https://kuboard.cn/install/v3/install.html
提供的安装命令如下:
kubectl apply -f https://addons.kuboard.cn/kuboard/kuboard-v3.yaml
错误异常pod一直不就绪 缺少 Master Role
-
可能缺少 Master Role 的情况有:
-
当您在 *阿里云、腾讯云(以及其他云)托管* 的 K8S 集群中以此方式安装 Kuboard 时,您执行 kubectl get nodes 将 *看不到 master 节点*;
-
当您的集群是通过二进制方式安装时,您的集群中可能缺少 Master Role,或者当您删除了 Master 节点的
在集群中缺少 Master Role 节点时,您也可以为一个或者三个 worker 节点添加的标签,来增加 kuboard-etcd 的实例数量;
- 执行如下指令,可以为节点添加所需要的标签
kubectl label nodes your-node-name k8s.kuboard.cn/role=etcd
4、访问 Kuboard
在浏览器中打开链接 http://172.23.70.235:30080
输入初始用户名和密码,并登录
- 用户名: admin
- 密码: Kuboard123
部署完成后,进入30080端口可以看到这个命令,运行
curl -k 'http://172.23.70.235:30080/kuboard-api/cluster/default/kind/KubernetesCluster/default/resource/installAgentToKubernetes?token=VJr7EYvO0Dvh7eoB8JlYcN7S0GQhnPZE' > kuboard-agent.yaml
kubectl apply -f ./kuboard-agent.yaml
然后就可以看到集群信息了
至此集群部署完成
ZhangHe IT技术类博客
__EOF__