【kubernetes使用系列】kubernetes1.8安装

发表于 2018-12-28 14:04:49 分类于通用计算平台， dockerengine技术 Valine：

背景资料

本文主要参考资料(建议收藏)

https://jimmysong.io/kubernetes-handbook/
https://anjia0532.github.io/2017/11/15/gcr-io-image-mirror/

本文的收获

实践“纸上读来终觉浅，绝知此事要躬行”，上手操作第5章

安装之前三件事

熟悉kubernetes基本架构和工作原理

建议好好看《Kubernetes Handbook》1-4章或者《kubernetes in action》(中文版已经出版).了解整体架构、以及基本概念模型：

cluster与node
rabc：
pod：简单的理解就是一组容器，基础容器是
deployment(pod升级版)：
service：
configmap：

本文使用版本

centos:CentOS Linux release 7.3.1611 (Core) 
kubernetes:1.8.5
flannel:0.7.1
docker:1.12.6
harbor:1.5.4(依赖的docker为1.12.6、docker-compose为1.12.0)
etcd:3.3.5
cfssl_linux-amd64
cfssljson_linux-amd64
cfssl-certinfo_linux-amd64

ip和服务部署规划

因为测试环境资源有限，尽量的合理利用资源。

10.2.1.30(centos7): harbor0.5(docker1.10.3、 docker-compose1.10)、etcd3.3.5
10.2.1.33(centos7): etcd3.3.5
10.2.1.31(centos7): etcd3.3.5
10.2.1.37(centos7): docker1.12.6、flanneld0.7.1、kubernetes master(kube-apiserver 1.8.5、kube-scheduler1.8.5、kube-controller-manager1.8.5)、kubernetes node(kubelet1.8.5、kube-proxy1.8.5)
10.2.1.38(centos7): docker1.12.6、flanneld0.7.1、kubernetes node(kubelet1.8.5、kube-proxy1.8.5)
10.2.1.39(centos7): docker1.12.6、flanneld0.7.1、kubernetes node(kubelet1.8.5、kube-proxy1.8.5)

安装步骤

安装etcd集群

可以安装一个etcd集群，也可以用一个已有集群。本文安装的etcd没有采用Kubernetes Handbook的证书，觉得麻烦
并创建key-value。

启动harbor服务

安装和启动harbor服务。并将一些镜像从anjia0532上pull下来，push到私有仓库。供后续步骤使用

k8s-dns-kube-dns-amd64:1.14.1
k8s-dns-dnsmasq-nanny-amd64:1.14.1
k8s-dns-sidecar-amd64:1.14.1

heapster-amd64:v1.3.0
heapster-grafana-amd64:v4.0.2
heapster-influxdb-amd64:v1.1.1
fluentd-elasticsearch:1.22
kibana:4.6.1

kubernetes-dashboard-amd64:v1.6.3

安装docker1.12.6

可以参考之前的文章，不再赘述，记得要配置私有仓库，否则，很多功能不好实现。

安装flanneld0.7.1

参考 https://jimmysong.io/kubernetes-handbook/practice/flannel-installation.html 安装flanneld。
注意：/etc/sysconfig/flanneld配置文件

# Flanneld configuration options  

# etcd url location.  Point this to the server where etcd runs
FLANNEL_ETCD_ENDPOINTS="http://10.2.1.30:2379,http://10.2.1.31:2379,http://10.2.1.33:2379"

# etcd config key.  This is the configuration key that flannel queries
# For address range assignment
FLANNEL_ETCD_PREFIX="/kube-centos/network"

# Any additional options that you want to pass
FLANNEL_OPTIONS="--iface=ens192"

并在etcd创建kubernetes集群的flanneld网络config

准备证书

安装CSL文件

创建CA证书

参考 https://jimmysong.io/kubernetes-handbook/practice/create-tls-and-secret-key.html 创建证书，并分发到所有kubernetes node。

安装kubernetes master

准备/etc/kubernetes/config配置文件

该配置文件同时被kube-apiserver、kube-controller-manager、kube-scheduler、kubelet、kube-proxy使用。

###
# kubernetes system config
#
# The following values are used to configure various aspects of all
# kubernetes services, including
#
#   kube-apiserver.service
#   kube-controller-manager.service
#   kube-scheduler.service
#   kubelet.service
#   kube-proxy.service
# logging to stderr means we get it in the systemd journal
KUBE_LOGTOSTDERR="--logtostderr=true"

# journal message level, 0 is debug
KUBE_LOG_LEVEL="--v=0"

# Should this cluster be allowed to run privileged docker containers
KUBE_ALLOW_PRIV="--allow-privileged=false"

# How the controller-manager, scheduler, and proxy find the apiserver
KUBE_MASTER="--master=http://10.2.1.37:8080"

准备/etc/kubernetes/apiserver文件

###
## kubernetes system config
##

## The following values are used to configure the kube-apiserver
## The address on the local server to listen to.
#KUBE_API_ADDRESS="--address=bc.authorization.k8s.io/v10.2.1.30"
KUBE_API_ADDRESS="--advertise-address=10.2.1.37 --bind-address=10.2.1.37 --insecure-bind-address=10.2.1.37"

## The port on the local server to listen on.
KUBE_API_PORT="--port=8080"

## Port minions listen on
KUBELET_PORT="--kubelet-port=10250"

## Comma separated list of nodes in the etcd cluster
KUBE_ETCD_SERVERS="--etcd-servers=http://10.2.1.30:2379,http://10.2.1.31:2379,http://10.2.1.33:2379"

## Address range to use for services
#KUBE_SERVICE_ADDREKUBELET_POD_INFRA_CONTAINERSSES="--service-cluster-ip-range=172.17.0.0/16"

#KUBE_ANONYMOUS_AUTH="--anonymous-auth=false"
KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=172.19.0.0/16"

## default admission control policies
#KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
KUBE_ADMISSION_CONTROL="--admission-control=ServiceAccount,NamespaceLifecycle,NamespaceExists,LimitRanger,ResourceQuota"
KUBE_API_ARGS="--authorization-mode=RBAC --runtime-config=rbac.authorization.k8s.io/v1beta1 --kubelet-https=true --experimental-bootstrap-token-auth --token-auth-file=/etc/kubernetes/token.csv --service-node-port-range=30000-32767 --tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem --client-ca-file=/etc/kubernetes/ssl/ca.pem --service-account-key-file=/etc/kubernetes/ssl/ca-key.pem  --enable-swagger-ui=true --apiserver-count=3 --audit-log-maxage=30 --audit-log-maxbackup=3 --audit-log-maxsize=100 --audit-log-path=/var/lib/audit.log --event-ttl=1h"

配置kube-apiserver的systemd

[Unit]
Description=Kubernetes API Service
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
#After=etcd.service

[Service]
EnvironmentFile=-/etc/kubernetes/config
EnvironmentFile=-/etc/kubernetes/apiserver
ExecStart=/usr/bin/kube-apiserver \
	    $KUBE_LOGTOSTDERR \
	    $KUBE_LOG_LEVEL \
	    $KUBE_ETCD_SERVERS \
	    $KUBE_API_ADDRESS \
	    $KUBE_API_PORT \
            $KUBELET_PORT \
	    $KUBE_ALLOW_PRIV \
	    $KUBE_SERVICE_ADDRESSES \
	    $KUBE_ADMISSION_CONTROL \
            $KUBE_ANONYMOUS_AUTH \
	    $KUBE_API_ARGS
Restart=on-failure
Type=notify
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

启动kube-apiserver

systemctl daemon-reload
systemctl enable kube-apiserver
systemctl start kube-apiserver

渐学顿悟