1、Master高可用
其他 master 加⼊集群时,输⼊如下命令
如:需要⾼可⽤时,⼜克隆了 master02 、 03... 等,那么这些节点都执⾏下⾯的命令
注意: 每个主机的 token 值是不⼀样的,下⾯是我192.168.15.11 (master)主机的 token 值,这是集群初始化⽣成的代码,需要在当时记录下来。
kubeadm join 192.168.15.11:6443 --token
7t2weq.bjbawausm0jaxury \
--discovery-token-ca-cert-hash \
sha256:73dc6f8d973fc70818e309386c1bfc5d330c19d52b4
94c6f88f634a6b1250a2f \
--control-plane --certificate-key \
80fcc505867ccbc6550c18ed11f40e64ecf486d626403823f5
48dda65c19953d
2、Token 过期处理
注意: * * 以下步骤是上述初始化命令产⽣的 Token 过期了才需要执⾏以下步骤,如果没有过期不需要执⾏,直接 join 即可。 **Token 过期后⽣成新的 token
kubeadm token create --print-join-command
Master 需要⽣成 --certificate-key :
kubeadm init phase upload-certs --upload-certs
3、、Node 节点配置
Node 节点上主要部署公司的⼀些业务应⽤,⽣产环境中不建议
Master 节点部署系统组件之外的其他 Pod ,测试环境可以允许
Master 节点部署 Pod 以节省系统资源。
( 1 ) node 加⼊集群
[root@k8s-node01 ~]# kubeadm join
192.168.15.11:6443 --token 7t2weq.bjbawausm0jaxury
\ # node01通过复制master初始化⽣成的token来加⼊集群
> --discovery-token-ca-cert-hash \
>
sha256:73dc6f8d973fc70818e309386c1bfc5d330c19d52b4
94c6f88f634a6b1250a2f
[preflight] Running pre-flight checks
[preflight] Reading configuration from the
cluster...
[preflight] FYI: You can look at this config file
with 'kubectl -n kube-system get cm kubeadm-config
-o yaml'
[kubelet-start] Writing kubelet configuration to
file "/var/lib/kubelet/config.yaml"
[kubelet-start] Writing kubelet environment file
with flags to file "/var/lib/kubelet/kubeadmflags.env"
[kubelet-start] Starting the kubelet
[kubelet-start] Waiting for the kubelet to perform
the TLS Bootstrap...
This node has joined the cluster:
* Certificate signing request was sent to
apiserver and a response was received.
* The Kubelet was informed of the new secure
connection details.
Run 'kubectl get nodes' on the control-plane to
see this node join the cluster.
# 正确加⼊集群后的输出信息
( 2 )查看集群状态
master 上查看集群状态( NotReady 不影响)
[root@k8s-master ~]# kubectl get node # 获取所有节
点信息
NAME STATUS ROLES AGE
VERSION
k8s-master NotReady control-plane 35m
v1.28.2
k8s-node01 NotReady <none> 6m39s
v1.28.2
k8s-node02 NotReady <none> 7m27s
v1.28.2
4、Calico 组件安装
( 1 )切换 git 分⽀
[root@k8s-master ~]# cd /root/k8s-ha-install &&
git checkout manual-installation-v1.28.x && cd
calico/
分⽀ 'manual-installation-v1.28.x' 设置为跟踪
'origin/manual-installation-v1.28.x'。
切换到⼀个新分⽀ 'manual-installation-v1.28.x'
( 2 )修改 Pod ⽹段
[root@k8s-master calico]# POD_SUBNET=`cat
/etc/kubernetes/manifests/kube-controllermanager.yaml | grep cluster-cidr= | awk -F=
'{print $NF}'` # 获取已定义的Pod⽹段
[root@k8s-master calico]# sed -i
"s#POD_CIDR#${POD_SUBNET}#g" calico.yaml # 修改
calico.yml⽂件中的pod⽹段
[root@k8s-master calico]# kubectl apply -f
calico.yaml # 创建calico的pod
( 3 )查看容器和节点状态
[root@k8s-master calico]# kubectl get po -n kubesystem
NAME READY
STATUS RESTARTS AGE
calico-kube-controllers-6d48795585-wj8g5 1/1
Running 0 130m
calico-node-bk4p5 1/1
Running 0 130m
calico-node-kmsh7 1/1
Running 0 130m
calico-node-qthgh 1/1
Running 0 130m
coredns-6554b8b87f-jdc2b 1/1
Running 0 133m
coredns-6554b8b87f-thftb 1/1
Running 0 133m
etcd-master 1/1
Running 0 133m
kube-apiserver-master 1/1
Running 0 133m
kube-controller-manager-master 1/1
Running 0 133m
kube-proxy-46j4z 1/1
Running 0 131m
kube-proxy-8g887 1/1
Running 0 133m
kube-proxy-vwp27 1/1
Running 0 131m
kube-scheduler-master 1/1
Running 0 133m
[root@k8s-master calico]# kubectl get node # 此
时节点全部准备完成
NAME STATUS ROLES AGE
VERSION
k8s-master Ready control-plane 40m
v1.28.2
k8s-node01 Ready <none> 12m
v1.28.2
k8s-node02 Ready <none> 12m
v1.28.2
5、Metrics 部署
在新版的 Kubernetes 中系统资源的采集均使⽤ Metrics-server ,可以通过 Metrics 采集节点和 Pod 的内存、磁盘、 CPU 和⽹络的使⽤率。
( 1 )复制证书到所有 node 节点
将 master 节点的 front-proxy-ca.crt 复制到所有 Node 节点,每有⼀个节点执⾏⼀次,仅需修改命令内的 node 节点主机名即可。
[root@k8s-master calico]# scp
/etc/kubernetes/pki/front-proxy-ca.crt k8snode01:/etc/kubernetes/pki/front-proxy-ca.crt #
向node01节点发送代理证书
front-proxy-ca.crt
100% 1123 937.0KB/s 00:00
[root@k8s-master calico]# scp
/etc/kubernetes/pki/front-proxy-ca.crt k8snode02:/etc/kubernetes/pki/front-proxy-ca.crt #
向node02节点发送代理证书
front-proxy-ca.crt
100% 1123 957.4KB/s 00:00
# 若有其他node节点,按照格式执⾏下⾯命令,这⾥不⽤执⾏,因
为node只有两台主机
[root@k8s-master calico]# scp
/etc/kubernetes/pki/front-proxy-ca.crt k8snode03:/etc/kubernetes/pki/front-proxy-ca.crt
( 2 )安装 metrics server
[root@k8s-master calico]# cd /root/k8s-hainstall/kubeadm-metrics-server
[root@k8s-master kubeadm-metrics-server]# kubectl
create -f comp.yaml # 添加metric server的pod资源
serviceaccount/metrics-server created
clusterrole.rbac.authorization.k8s.io/system:aggre
gated-metrics-reader created
clusterrole.rbac.authorization.k8s.io/system:metri
cs-server created
rolebinding.rbac.authorization.k8s.io/metricsserver-auth-reader created
clusterrolebinding.rbac.authorization.k8s.io/metri
cs-server:system:auth-delegator created
clusterrolebinding.rbac.authorization.k8s.io/syste
m:metrics-server created
service/metrics-server created
deployment.apps/metrics-server created
apiservice.apiregistration.k8s.io/v1beta1.metrics.
k8s.io created
( 3 )查看 metrics server 状态
[root@master kubeadm-metrics-server]# kubectl get
po -n kube-system -l k8s-app=metrics-server # 在
kube-system命名空间下查看metrics server的pod运⾏状态
NAME READY STATUS
RESTARTS AGE
metrics-server-8df99c47f-mkbfd 1/1 Running
0 34s
[root@master kubeadm-metrics-server]# kubectl top
node # 查看node节点的系统资源使⽤情况
NAME CPU(cores) CPU% MEMORY(bytes)
MEMORY%
k8s-node01 51m 1% 831Mi
23%
k8s-node02 55m 1% 931Mi
25%
master 107m 2% 1412Mi
39%
[root@master kubeadm-metrics-server]# kubectl top
po -A
NAMESPACE NAME CPU(cores) MEMORY(bytes)
kube-system calico-kube-controllers-6d48795585-
wj8g5 2m 25Mi
kube-system calico-node-bk4p5 20m 155Mi
kube-system calico-node-kmsh7 25m 152Mi
kube-system calico-node-qthgh 24m 145Mi
kube-system coredns-6554b8b87f-jdc2b 1m 22Mi
kube-system coredns-6554b8b87f-thftb 1m 20Mi
kube-system etcd-master 14m 66Mi
kube-system kube-apiserver-master 29m 301Mi
kube-system kube-controller-manager-master 10m 56Mi
kube-system kube-proxy-46j4z 1m 22Mi
kube-system kube-proxy-8g887 1m 24Mi
kube-system kube-proxy-vwp27 1m 22Mi
kube-system kube-scheduler-master 2m 26Mi
kube-system metrics-server-8df99c47f-mkbfd 3m 29Mi
6、Dashboard 部署
Dashboard ⽤于展示集群中的各类资源,同时也可以通过
( 1 )安装组件
[root@master kubeadm-metrics-server]# cd
/root/k8s-ha-install/dashboard/
[root@master dashboard]# kubectl create -f . #
建⽴dashboard的pod资源
serviceaccount/admin-user created
clusterrolebinding.rbac.authorization.k8s.io/admin
-user created
namespace/kubernetes-dashboard created
serviceaccount/kubernetes-dashboard created
service/kubernetes-dashboard created
secret/kubernetes-dashboard-certs created
secret/kubernetes-dashboard-csrf created
secret/kubernetes-dashboard-key-holder created
configmap/kubernetes-dashboard-settings created
role.rbac.authorization.k8s.io/kubernetesdashboard created
clusterrole.rbac.authorization.k8s.io/kubernetesdashboard created
rolebinding.rbac.authorization.k8s.io/kubernetesdashboard created
clusterrolebinding.rbac.authorization.k8s.io/kuber
netes-dashboard created
deployment.apps/kubernetes-dashboard created
service/dashboard-metrics-scraper created
deployment.apps/dashboard-metrics-scraper created
( 2 )登录 dashboard
如果是⾕歌浏览器,需要在启动⽂件中加⼊下⾯的启动参数,⽤于解决⽆法访问 Dashboard 的问题
--test-type --ignore-certificate-errors
( 3 )更改 svc 模式
[root@master dashboard]# kubectl edit svc
kubernetes-dashboard -n kubernetes-dashboard
# edit:进⼊kubernetes的⽂本编辑器
# svc:指定某个服务项,这⾥指定的是kubernetes-dashboard
# -n:指定命名空间,kubernetes-dashboard
# 命令执⾏后相当于进⼊vim⽂本编辑器,不要⽤⿏标滚轮,会输出
乱码的!可以使⽤“/”搜索,输⼊“/type”找到⽬标,如果已经为
NodePort忽略此步骤
......省略部分内容......selector:k8s-app: kubernetes-dashboardsessionAffinity: Nonetype: NodePort
( 4 )查看访问端⼝号
[root@master dashboard]# kubectl get svc
kubernetes-dashboard -n kubernetes-dashboard # 获
取kubernetes-dashboard状态信息,包含端⼝,服务IP等
NAME TYPE CLUSTER-IP
EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard NodePort 10.96.137.94
<none> 443:30582/TCP 8m50s
找到端⼝号后,通过 master 的 IP+ 端⼝ 即可访问 dashboard (端⼝为终端查询到的端⼝,要⽤ https 协议访问)
( 5 )创建登录 token
[root@master dashboard]# kubectl create token
admin-user -n kube-system
eyJhbGciOiJSUzI1NiIsImtpZCI6Inlvc2g1cWhWcjduaXI1ZU
FpQWNwRFJYYW1saXVFM3lrdlJnaHlUSmY0RTAifQ.eyJhdWQiO
lsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN
0ZXIubG9jYWwiXSwiZXhwIjoxNzAzMDU2Nzg4LCJpYXQiOjE3M
DMwNTMxODgsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZ
hdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pb
yI6eyJuYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsInNlcnZpY2V
hY2NvdW50Ijp7Im5hbWUiOiJhZG1pbi11c2VyIiwidWlkIjoiN
zE0YWU1N2UtNjRiNC00NTU0LTk5OTctYjE2NmEwZTQyNzhjIn1
9LCJuYmYiOjE3MDMwNTMxODgsInN1YiI6InN5c3RlbTpzZXJ2a
WNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbi11c2VyIn0.l6z
gXfNhppndKAqFJrR_vCi7w0_esGp7yQGNYdrQGlE5latyFKRXN
Jub8dvDe-ZyquW1H-KTvZntAluwOXv79WKY8Z8d31FePN9LHzCXPDordzyg8rE7qvgAPNeU8FgVnYtr_ujpBmuBinjnzT7LjysJiBi6fsndiD5RUYcYr6bsLg91bcLgAdW3bn_
9W5587z_q-910wpxl9AwUL9xVzyvsVDDdXe1VthkoGYxyaznRf5omkmpwabQ3JQ0L8U_8Oop6HaZs
g5cEBCqBHrgyjBsYRALjzRlFlC9CB4hrYY4P_zRSdoI0lyiG4Z
eh0ber6awoeeKSMbJMTqwMlw
在 “ 输⼊ token *” 内输⼊终端⽣成的 token