在使用kubeadm搭建kubernetes时候碰到很多坑,总结记录下来

我们只讨论怎么使用kubeadm快速搭建一个kubernetes集群,其他知识点自行查看

docker自行安装 推荐18.09

安装kubeadm组件

需要用到国内阿里云镜像源

1
2
3
4
5
6
7
8
9
cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF

关闭selinux

1
2
3
setenforce 0
yum install -y kubelet kubeadm kubectl
systemctl enable kubelet && systemctl start kubelet

关闭交换分区

1
2
swapoff -a 临时关闭
vim /etc/fstab 注释最后一项swap

设置iptables内核参数

1
2
3
4
5
cat <<EOF >  /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system

获取镜像

由于不可抗拒的原因你需要更换下载镜像地址,并更名为kubeadm可识别的tag名
以下地址为阿里云仓库地址,kubernetes等各个组件的版本可自行更改脚本中的变量
关于使用的版本可直接kubeadm init 后通过报错中的版本查看当前需要的镜像版本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/bin/bash
APISERVER=v1.13.4
MANAGER=v1.13.4
SCHEDULER=v1.13.4
PROXY=v1.13.4
PAUSE=3.1
ETCD=3.2.24
COREDNS=1.2.6

docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:$APISERVER
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:$MANAGER
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:$SCHEDULER
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:$PROXY
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$COREDNS

docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:$APISERVER k8s.gcr.io/kube-apiserver:$APISERVER
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:$MANAGER k8s.gcr.io/kube-controller-manager:$MANAGER
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:$SCHEDULER k8s.gcr.io/kube-scheduler:$SCHEDULER
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:$PROXY k8s.gcr.io/kube-proxy:$PROXY
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:$PAUSE k8s.gcr.io/pause:$PAUSE
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:$ETCD k8s.gcr.io/etcd:$ETCD
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:$COREDNS k8s.gcr.io/coredns:$COREDNS

初始化

1
2
3
4
5
kubeadm init --pod-network-cidr=10.244.0.0/16 --service-cidr=10.96.0.0/12

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

初始化成功后会有kubeadm join等提示在node节点加入即可,每个人的都不一样就不列出

安装网络插件

同样需要先下载镜像源

1
2
3
wget https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
for i in `cat kube-flannel.yml |grep 'image'|awk '{print $NF}'|uniq`;do docker pull $i;done
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml

查看kube-system状态
kubectl get pods -n kube-system

部署dashboard

更换dashboard镜像源
registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
pull镜像需要稍等一会

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
cat << EOF > kubernetes-dashboard.yaml
# Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# ------------------- Dashboard Secret ------------------- #

apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kube-system
type: Opaque

---
# ------------------- Dashboard Service Account ------------------- #

apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system

---
# ------------------- Dashboard Role & Role Binding ------------------- #

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
rules:
# Allow Dashboard to create 'kubernetes-dashboard-key-holder' secret.
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
# Allow Dashboard to create 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create"]
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics from heapster.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:"]
verbs: ["get"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kubernetes-dashboard-minimal
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard-minimal
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kube-system

---
# ------------------- Dashboard Deployment ------------------- #

kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
spec:
containers:
- name: kubernetes-dashboard
image: registry.cn-hangzhou.aliyuncs.com/google_containers/kubernetes-dashboard-amd64:v1.10.1
ports:
- containerPort: 8443
protocol: TCP
args:
- --auto-generate-certificates
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
livenessProbe:
httpGet:
scheme: HTTPS
path: /
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
volumes:
- name: kubernetes-dashboard-certs
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
emptyDir: {}
serviceAccountName: kubernetes-dashboard
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule

---
# ------------------- Dashboard Service ------------------- #

kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kube-system
spec:
type: NodePort
ports:
- port: 443
targetPort: 8443
nodePort: 30000
selector:
k8s-app: kubernetes-dashboard
EOF

权限文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
cat << EOF > dashboard-admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kube-system
EOF

按如下顺序分别kubectl apply -f
kubernetes-dashboard.yaml > dashboard-admin.yaml

获取token

1
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

通过火狐浏览器访问
https://IP:30000

参考
李振良
data羊