1. 环境准备
在开始之前,部署Kubernetes集群机器需要满足以下几个条件:
- 一台或多台机器,操作系统 CentOS7.x-86_x64;
- 硬件配置:2GB或更多RAM,2个CPU或更多CPU,硬盘30GB或更多;
- 集群中所有机器之间网络互通;
- 可以访问外网,需要拉取镜像;
- 禁止swap分区。
主机详情
| IP | Hostname | 备注 |
|---|---|---|
| 192.168.32.128 | K8s-master | Master,控制平面,docker |
| 192.168.32.129 | K8s-node1 | 节点,docker |
| 192.168.32.130 | K8s-node2 | 节点,docker |
2. 准备安装环境(三台机器都要执行)
2.1 修改主机hostname# 分别在三台机器上执行:
hostnamectl set-hostname k8s-master
hostnamectl set-hostname k8s-node1
hostnamectl set-hostname k8s-node22.2 修改hosts文件,三台机器都要执行# 角色 系统 ip
cat > /etc/hosts << EOF
192.168.32.128 k8s-master
192.168.32.129 k8s-node1
192.168.32.130 k8s-node2
EOF2.3 关闭防火墙 seliunx 三个机器都一样执行# 关闭防火墙
systemctl stop firewalld
systemctl disable firewalld# 关闭selinux
sed -i 's/enforcing/disabled/' /etc/selinux/config # 永久
setenforce 0# 临时
# 关闭swap:
swapoff -a # 临时vim /etc/fstab # 永久
# /dev/mapper/centos-swap swap swap defaults 0 0 # 禁用就好了# 将桥接的IPv4流量传递到iptables的链:
cat >/etc/sysctl.d/k8s.conf << EOF
net.bridge.bridge-nf-call-ip6tables =1
net.bridge.bridge-nf-call-iptables =1
EOFsysctl --system # 生效2.4 时间同步三台机器都要操作
yum install ntpdate -y
ntpdate ntp1.aliyun.com设置定时自动同步,三台机器都要操作
crontab -e
*/10 * * * * ntpdate ntp1.aliyun.com
*/12 * * * * hwclock --systohc
*/13 * * * * clock -w2.5 安装Docker 三台机器都要安装# 修改yum 源,三台机器都要修改
cd /etc/yum.repos.d/
[root@k8s-master yum.repos.d]# mkdir bak
[root@k8s-master yum.repos.d]# mv *.repo bak/# 安装yum 源,三台机器都要安装
wget https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo -O /etc/yum.repos.d/docker-ce.repo# 安装docker,三台机器都要安装
yum -y install docker-ce
systemctl enable docker && systemctl start docker# 配置镜像下载加速器
cat >/etc/docker/daemon.json << EOF
{
"registry-mirrors":["https://b9pmyelo.mirror.aliyuncs.com"]
}
EOFsystemctl restart docker
2.6 添加阿里yum仓库源 安装 kubeadm 用的 三个节点
cat >/etc/yum.repos.d/kubernetes.repo << EOF
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF2.7 开始安装 kubeadm , kubelet ,kubectl 三个节点都要安装# 执行安装版本号,不指定默认最新版本
yum install -y kubelet-1.20.9 kubeadm-1.20.9 kubectl-1.20.9
systemctl enable kubelet# 解释和注释
kubelet:systemd守护进程管理
kubeadm:部署工具
kubectl:k8s命令行管理工具2.8 开始部署 kubernetes master,在k8s-master机器上执行# 在 192.168.32.128 master 上执行 要写master ip[root@k8s-master ~]# kubeadm init \
--apiserver-advertise-address=192.168.32.128 \
--image-repository registry.aliyuncs.com/google_containers \
--kubernetes-version v1.20.9 \
--service-cidr=10.96.0.0/12 \
--pod-network-cidr=10.244.0.0/16# 参数解释
–apiserver-advertise-address 集群通告地址
–image-repository 由于默认拉取镜像地址k8s.gcr.io国内无法访问,这里指定阿里云镜像仓库地址。
–kubernetes-version K8s版本,与上面安装的一致
–service-cidr 集群内部虚拟网络,Pod统一访问入口
–pod-network-cidr Pod网络,与下面部署的CNI网络组件yaml中保持一致Master 初始化成功之后,会生成节点加入指令。2.9 拷贝kubectl使用的连接k8s认证文件到默认路径# 在master 上执行
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config # 查看节点情况,由于还没部署flannel 通信插件,所以status 是notreadykubectl get nodes
NAME STATUS ROLES AGE VERSION
k8s-master NotReady master 2m v1.20.92.10 加入kubernetes node 在32.129 和 32.130 上执行# 这个东西是自己生成的 这个东西是那个界节点加入 在那个机器执行[root@k8s-node1 ~]# kubeadm join 192.168.32.128:6443--token esce21.q6hetwm8si29qxwn \
--discovery-token-ca-cert-hash sha256:00603a05805807501d7181c3d60b478788408cfe6cedefedb1f97569708be9c5默认token 有效期为24 小时 当过期后 改token 就不可用了 这时就需要重新创建token,操作如下:[root@k8s-master ~]# kubeadm token create --print-join-command2.11 部署容器网络(CNI)
这里使用Flannel作为Kubernetes容器网络方案,解决容器跨主机网络通信。
Flannel是CoreOS维护的一个网络组件,Flannel为每个Pod提供全局唯一的IP,Flannel使用ETCD来存储Pod子网与Node IP之间的关系。flanneld守护进程在每台主机上运行,并负责维护ETCD信息和路由数据包。使用如下yaml 文件部署flannel网络组件
kubectl apply -f kube-flannel.ymlkubectl get pods -n kube-system
[root@k8s-master ~]# cat kube-flannel.yml
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:name: psp.flannel.unprivilegedannotations:seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/defaultseccomp.security.alpha.kubernetes.io/defaultProfileName: docker/defaultapparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/defaultapparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:privileged: falsevolumes:- configMap- secret- emptyDir- hostPathallowedHostPaths:- pathPrefix: "/etc/cni/net.d"- pathPrefix: "/etc/kube-flannel"- pathPrefix: "/run/flannel"readOnlyRootFilesystem: false# Users and groupsrunAsUser:rule: RunAsAnysupplementalGroups:rule: RunAsAnyfsGroup:rule: RunAsAny# Privilege EscalationallowPrivilegeEscalation: falsedefaultAllowPrivilegeEscalation: false# CapabilitiesallowedCapabilities: ['NET_ADMIN', 'NET_RAW']defaultAddCapabilities: []requiredDropCapabilities: []# Host namespaceshostPID: falsehostIPC: falsehostNetwork: truehostPorts:- min: 0max: 65535# SELinuxseLinux:# SELinux is unused in CaaSPrule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: flannel
rules:
- apiGroups: ['extensions']resources: ['podsecuritypolicies']verbs: ['use']resourceNames: ['psp.flannel.unprivileged']
- apiGroups:- ""resources:- podsverbs:- get
- apiGroups:- ""resources:- nodesverbs:- list- watch
- apiGroups:- ""resources:- nodes/statusverbs:- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:name: flannel
roleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: flannel
subjects:
- kind: ServiceAccountname: flannelnamespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:name: flannelnamespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:name: kube-flannel-cfgnamespace: kube-systemlabels:tier: nodeapp: flannel
data:cni-conf.json: |{"name": "cbr0","cniVersion": "0.3.1","plugins": [{"type": "flannel","delegate": {"hairpinMode": true,"isDefaultGateway": true}},{"type": "portmap","capabilities": {"portMappings": true}}]}net-conf.json: |{"Network": "10.244.0.0/16","Backend": {"Type": "vxlan"}}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:name: kube-flannel-dsnamespace: kube-systemlabels:tier: nodeapp: flannel
spec:selector:matchLabels:app: flanneltemplate:metadata:labels:tier: nodeapp: flannelspec:affinity:nodeAffinity:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- key: kubernetes.io/osoperator: Invalues:- linuxhostNetwork: truepriorityClassName: system-node-criticaltolerations:- operator: Existseffect: NoScheduleserviceAccountName: flannelinitContainers:- name: install-cni-pluginimage: rancher/mirrored-flannelcni-flannel-cni-plugin:v1.2command:- cpargs:- -f- /flannel- /opt/cni/bin/flannelvolumeMounts:- name: cni-pluginmountPath: /opt/cni/bin- name: install-cniimage: quay.io/coreos/flannel:v0.15.0command:- cpargs:- -f- /etc/kube-flannel/cni-conf.json- /etc/cni/net.d/10-flannel.conflistvolumeMounts:- name: cnimountPath: /etc/cni/net.d- name: flannel-cfgmountPath: /etc/kube-flannel/containers:- name: kube-flannelimage: quay.io/coreos/flannel:v0.15.0command:- /opt/bin/flanneldargs:- --ip-masq- --kube-subnet-mgrresources:requests:cpu: "100m"memory: "50Mi"limits:cpu: "100m"memory: "50Mi"securityContext:privileged: falsecapabilities:add: ["NET_ADMIN", "NET_RAW"]env:- name: POD_NAMEvalueFrom:fieldRef:fieldPath: metadata.name- name: POD_NAMESPACEvalueFrom:fieldRef:fieldPath: metadata.namespacevolumeMounts:- name: runmountPath: /run/flannel- name: flannel-cfgmountPath: /etc/kube-flannel/volumes:- name: runhostPath:path: /run/flannel- name: cni-pluginhostPath:path: /opt/cni/bin- name: cnihostPath:path: /etc/cni/net.d- name: flannel-cfgconfigMap:name: kube-flannel-cfg# 创建网络插件
kubectl apply -f kube-flannel.yml
kubectl get pods -n kube-system
# 查看节点时候都ready 状态
kubectl get nodes -owide
2.12 部署官方 Doshboard (UI)[root@k8s-master ~]# wget https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.3/aio/deploy/recommended.yaml
默认Dashboard只能集群内部访问,修改Service为NodePort类型,暴露到外部:
[root@k8s-master ~]# vim recommended.yaml
...
kind:Service
apiVersion: v1
metadata:labels:k8s-app: kubernetes-dadashboardname: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:ports:
- port:443targetPort:8443nodePort: 30006 #添加的端口 30006selector:k8s-app: kubernetes-dashboardtype: NodePort 添加的...[root@k8s-master ~]# kubectl apply -f recommended.yaml
[root@k8s-master ~]# kubectl get pods -n kubernetes-dashboard
NAME READY STATUS RESTARTS AGE
dashboard-metrics-scraper-6b4884c9d5-gl8nr 1/1 Running 0 13m
kubernetes-dashboard-7f99b75bf4-89cds 1/1 Running 0 13m
访问地址:https://NodeIP:30006
创建service account并绑定默认cluster-admin管理员集群角色创建用户
[root@k8s-master ~]# kubectl create serviceaccount dashboard-admin -n kube-system# 用户授权
[root@k8s-master ~]# kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
# 获取用户Token
[root@k8s-master ~]# kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
使用输出的Token登入 Dashboard 最后就是
访问地址 192.168.32.128:30006 然后 token 登入就行了2.13 服务无中断平滑发布Kubernetes支持名为Rolling Update的功能,允许您不间断地,
接近几乎无缝地平滑升级部署应用程序 ,即在不停止对外服务的前提下完成应用的更新。 什么是滚动更新?
为了应用升级部署时候k8s不停服达到用户无感知,Kubernetes支持称为滚动更新的功能。此功能允许您按顺序更新pod,一次更新一个(按照配置比例),而不是一次停止/更新整个pod。使发布版本更新和回滚而不会中断服务 # 滚动更新示例上传测试项目:拉取基础环境 python:3.7
docker pull python:3.7
部署执行Dockerfile 打包过程Vim DockerfileFROM python:3.7
VOLUME /tmp
ADD . /work
WORKDIR /work
RUN rm -rf simpleui
RUN /usr/local/bin/python -m pip install --upgrade pip
RUN pip3 install -i https://mirrors.aliyun.com/pypi/simple/ -r requirements.txt
RUN pip3 install django-simpleui -U
EXPOSE 8080
ENTRYPOINT ["python","manage.py","runserver" ,"0.0.0.0:8080"]
执行Dockerfile打包,生成本地制品镜像,(注意后面的点,代表当前目录的Dockerfile 文件)[root@k8s-master hospital_manager]# docker build -t hospital:v1.23.6.20.1 .
hospital.yaml 文件详解:apiVersion: apps/v1
kind: Deployment
metadata:creationTimestamp: nulllabels:app: hospitalname: deployment-hospital #deployment名字namespace: encop #命名空间
spec:replicas: 4 #开启的pods 副本progressDeadlineSeconds: 600 #等待多少秒才能确定Deployment进程是卡住的,如果还是卡住,则标记次pods 为falseminReadySeconds: 10 #滚动升级时10s后认为该pod就绪可用selector:matchLabels:app: hospitalstrategy:rollingUpdate: #滚动更新maxSurge: 1 #滚动更新期间可以创建的pod的最大数量超过指定数量的pod。1表示当一个新的pod被创建才会删除一个pod,以此类推。可以是具体的整数,也可以是百分百 默认值为25%maxUnavailable: 25% #滚动更新期间不可用的pods 数量type: RollingUpdatetemplate:metadata:creationTimestamp: nulllabels:app: hospitalspec:containers:- image: test/hospital:v1.23.6.20.1 #镜像版本imagePullPolicy: Never #表示拉取本地镜像,不拉去远程镜像name: hospitalresources: {}volumeMounts:- name: time-configmountPath: /etc/localtimereadOnly: truevolumes:- name: time-confighostPath:path: /etc/localtime
status: {}
---
apiVersion: v1
kind: Service
metadata:creationTimestamp: nulllabels:app: hospitalname: hospitalnamespace: encop
spec:ports:- nodePort: 32121port: 8080protocol: TCPtargetPort: 8080selector:app: hospitaltype: NodePortsessionAffinity: ClientIP #多pods时达到会话保持的状态
status:loadBalancer: {}创建kubectl apply -f hospital.yaml
[root@k8s-master v1]# kubectl get pods -n encop -owide
查看pods的版本号
v1.23.6.20.1版本号
[root@k8s-master v1]# kubectl get pod -w -n encop
在192.168.32.129 node1机器上使用脚本测试服务是否正常访问!
[root@k8s-node1 ~]# cat check_serv.sh
#!/bin/bashwhile true; docurl -m 10 -s -o /dev/null 192.168.32.128:32121if [ $? == 0 ]; thenecho "服务正常!"
elseecho "服务不正常!"
fi
sleep 2
done目前是正常的!
目前浏览器是可以正常访问的
修改程序标题改为v2,修改此处,更新后应该为v2字样
重新打包build 镜像[root@k8s-master hospital_manager]# docker build -t test/hospital:v1.23.6.20.2 .
执行滚动更新前服务都是正常访问的
监控服务更新变化
[root@k8s-master v1]# kubectl get pod -w -n encop
执行更新操作,将版本号从v1.23.6.20.1 升级到v1.23.6.20.2
kubectl set image deployment/deployment-hospital hospital=test/hospital:v1.23.6.20.2 -n encop
部署过程中服务一直都是正常访问的
网页标题也变了,服务也没有出现终端问题,滚动更新不停服务升级成功!
版本号也更新到v1.23.6.20.2
参考文章:http://idcsec.com/2019/03/05/kubernetes%E6%BB%9A%E5%8A%A8%E6%9B%B4%E6%96%B0%EF%BC%88%E6%97%A0%E4%B8%AD%E6%96%AD%E5%B9%B3%E6%BB%91%E5%8F%91%E5%B8%83%EF%BC%89/附加:如果服务启动时间比较长,可以添加探针,更加细致严谨# 准备就绪探针readinessProbe:# 使用 HTTP GET 方法检查httpGet:# 检查的路径# Windows 上使用 /sys-value-server/one-vo/12# k8s 上使用 /sys-value-server/one-vo/12path: /sys-value-server/one-vo/12 # 访问次服务url 返回200,才证明此pods 启动成功,流量才分配到此pods中# 应用程序端口号port: 42130# 初始化延迟 30 秒initialDelaySeconds: 20# 每隔 10 秒一次检查periodSeconds: 10# 超时时间timeoutSeconds: 5# 连续成功的检查次数successThreshold: 1# 连续失败的检查次数failureThreshold: 3
