一. 常用镜像库daocloud的docker镜像库: daocloud.io/library docker-hub的k8s镜像库 mirrorgooglecontainersaliyun的k8s镜像库registry.cn-hangzhou.aliyuncs.com/google-containersdocker镜像仓库aliyun的docker镜像库web页面 https://cr.console.aliyun.com/cn-hangzhou/images google的镜像库web页面 https://console.cloud.google.com/gcr/images/google-containers?projectgoogle-containers二.集群部署方式方式1. minikubeMinikube是一个工具可以在本地快速运行一个单点的Kubernetes尝试Kubernetes或日常开发的用户使用。不能用于生产环境。 官方地址https://kubernetes.io/docs/setup/minikube/方式2. kubeadmKubeadm也是一个工具提供kubeadm init和kubeadm join用于快速部署Kubernetes集群。 官方地址https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm/方式3. 直接使用epel-release yum源缺点就是版本较低 1.5方式4. 二进制包三.Kubeadm 方式部署集群kubeadm部署官方文档kubeadm部署k8s高可用集群的官方文档主机名地址角色配置k8s-master192.168.246.166主节点2核4Gk8s-node1192.168.246.167工作节点1核2Gk8s-node2192.168.246.169工作节点1核2G4.1获取镜像如果使用提前打包好的镜像以下七个镜像三台节点都需要提前导入谷歌镜像[由于国内网络原因无法下载后续将采用阿里云镜像代替]docker pull k8s.gcr.io/kube-apiserver:v1.20.2 docker pull k8s.gcr.io/kube-proxy:v1.20.2 docker pull k8s.gcr.io/kube-controller-manager:v1.20.2 docker pull k8s.gcr.io/kube-scheduler:v1.20.2 docker pull k8s.gcr.io/etcd:3.3.15 docker pull k8s.gcr.io/pause:3.1 docker pull k8s.gcr.io/coredns:1.6.2特别说明所有机器都必须有镜像 每次部署都会有版本更新具体版本要求运行初始化过程失败会有版本提示 kubeadm的版本和镜像的版本必须是对应的4.2 安装docker[集群]安装docker–三台机器都操作# yum remove docker \ docker-client \ docker-client-latest \ docker-common \ docker-latest \ docker-latest-logrotate \ docker-logrotate \ docker-selinux \ docker-engine-selinux \ docker-engine # yum install -y yum-utils device-mapper-persistent-data lvm2 git # yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo # yum install docker-ce -y 启动并设置开机启动4.3 阿里仓库下载[集群]docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.20.2 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.20.2 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.20.2 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.20.2 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.7.0 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.4.13-0 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2 # 下载完了之后需要将aliyun下载下来的所有镜像打成k8s.gcr.io/kube-controller-manager:v1.20.2这样的tag docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.20.2 k8s.gcr.io/kube-controller-manager:v1.20.2 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.20.2 k8s.gcr.io/kube-proxy:v1.20.2 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.20.2 k8s.gcr.io/kube-apiserver:v1.20.2 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.20.2 k8s.gcr.io/kube-scheduler:v1.20.2 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.7.0 k8s.gcr.io/coredns:1.7.0 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.4.13-0 k8s.gcr.io/etcd:3.4.13-0 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2 k8s.gcr.io/pause:3.24.4 集群部署[集群]cat /etc/hosts EOF 192.168.200.36 kub-k8s-master 192.168.200.37 kub-k8s-node1 192.168.200.38 kub-k8s-node2 EOF 制作本地解析修改主机名。相互解析4.5 集群环境配置[集群]1.关闭防火墙 # systemctl disable firewalld --now 2.禁用SELinux # setenforce 0 3.编辑文件/etc/selinux/config将SELINUX修改为disabled如下 # sed -i s/SELINUXenforcing/SELINUXdisabled/ /etc/sysconfig/selinux SELINUXdisabled 4.时间同步 # timedatectl set-timezone Asia/Shanghai # yum install -y ntpdate # ntpdate ntp.aliyun.com 5.配置静态ip4.6 关闭系统Swap[集群]Kubernetes 1.8开始要求关闭系统的Swap如果不关闭默认配置下kubelet将无法启动。方法一: 通过kubelet的启动参数–fail-swap-onfalse更改这个限制。方法二: 关闭系统的Swap。1.关闭swap分区 # swapoff -a 修改/etc/fstab文件注释掉SWAP的自动挂载使用free -m确认swap已经关闭。 2.注释掉swap分区 # sed -i s/.*swap.*/#/ /etc/fstab # free -m total used free shared buff/cache available Mem: 3935 144 3415 8 375 3518 Swap: 0 0 04.7 安装Kubeadm包[集群]配置源 # cat EOF /etc/yum.repos.d/kubernetes.repo [kubernetes] nameKubernetes baseurlhttps://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled1 gpgcheck0 repo_gpgcheck0 gpgkeyhttps://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF所有节点 1.安装对应版本 # yum install -y kubelet-1.20.2-0.x86_64 kubeadm-1.20.2-0.x86_64 kubectl-1.20.2-0.x86_64 ipvsadm 2.加载ipvs相关内核模块 # cat EOF /etc/modules-load.d/ipvs.conf ip_vs ip_vs_lc ip_vs_wlc ip_vs_rr ip_vs_wrr ip_vs_lblc ip_vs_lblcr ip_vs_dh ip_vs_sh ip_vs_nq ip_vs_sed ip_vs_ftp ip_vs_sh nf_conntrack_ipv4 ip_tables ip_set xt_set ipt_set ipt_rpfilter ipt_REJECT ipip EOF 4.配置 配置转发相关参数否则可能会出错 # cat EOF /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-ip6tables 1 net.bridge.bridge-nf-call-iptables 1 vm.swappiness0 EOF 5.使配置生效 # sysctl --system 6.如果net.bridge.bridge-nf-call-iptables报错加载br_netfilter模块 # modprobe br_netfilter # sysctl -p /etc/sysctl.d/k8s.conf 重启服务器 7.查看是否加载成功 # lsmod | grep ip_vs4.8 配置启动kubelet[集群]1.配置kubelet使用pause镜像 获取docker的cgroups # DOCKER_CGROUPS$(docker info | grep Cgroup | cut -d -f4) # echo $DOCKER_CGROUPS 配置变量 [rootk8s-master ~]# DOCKER_CGROUPSdocker info |grep Cgroup | awk NR1 {print $3} [rootk8s-master ~]# echo $DOCKER_CGROUPS cgroupfs 2.配置kubelet的cgroups # cat /etc/sysconfig/kubeletEOF KUBELET_EXTRA_ARGS--cgroup-driver$DOCKER_CGROUPS --pod-infra-container-imagek8s.gcr.io/pause:3.2 EOF启动 # systemctl daemon-reload # systemctl enable kubelet systemctl restart kubelet 在这里使用 # systemctl status kubelet你会发现报错误信息 10月 11 00:26:43 node1 systemd[1]: kubelet.service: main process exited, codeexited, status255/n/a 10月 11 00:26:43 node1 systemd[1]: Unit kubelet.service entered failed state. 10月 11 00:26:43 node1 systemd[1]: kubelet.service failed. 运行 # journalctl -xefu kubelet 命令查看systemd日志才发现真正的错误是 unable to load client CA file /etc/kubernetes/pki/ca.crt: open /etc/kubernetes/pki/ca.crt: no such file or directory #这个错误在运行kubeadm init 生成CA证书后会被自动解决此处可先忽略。 #简单地说就是在kubeadm init 之前kubelet会不断重启。4.9 配置master节点[master]运行初始化过程如下 [rootkub-k8s-master]# kubeadm init --kubernetes-versionv1.20.2 --pod-network-cidr10.244.0.0/16 --apiserver-advertise-address192.168.246.166 注 apiserver-advertise-address192.168.246.166 ---master的ip地址。 --kubernetes-versionv1.20.2 --更具具体版本进行修改 如果报错会有版本提示那就是有更新新版本了 [init] Using Kubernetes version: v1.20.2 [preflight] Running pre-flight checks [WARNING IsDockerSystemdCheck]: detected cgroupfs as the Docker cgroup driver. The recommended driver is systemd. Please follow the guide at https://kubernetes.io/docs/setup/cri/ [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 18.03.0-ce. Latest validated version: 18.09 [preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using kubeadm config images pull [kubelet-start] Writing kubelet environment file with flags to file /var/lib/kubelet/kubeadm-flags.env [kubelet-start] Writing kubelet configuration to file /var/lib/kubelet/config.yaml [kubelet-start] Activating the kubelet service [certs] Using certificateDir folder /etc/kubernetes/pki [certs] Generating ca certificate and key [certs] Generating apiserver certificate and key [certs] apiserver serving cert is signed for DNS names [kub-k8s-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.246.166] [certs] Generating apiserver-kubelet-client certificate and key [certs] Generating front-proxy-ca certificate and key [certs] Generating front-proxy-client certificate and key [certs] Generating etcd/ca certificate and key [certs] Generating etcd/server certificate and key [certs] etcd/server serving cert is signed for DNS names [kub-k8s-master localhost] and IPs [192.168.246.166 127.0.0.1 ::1] [certs] Generating etcd/peer certificate and key [certs] etcd/peer serving cert is signed for DNS names [kub-k8s-master localhost] and IPs [192.168.246.166 127.0.0.1 ::1] [certs] Generating etcd/healthcheck-client certificate and key [certs] Generating apiserver-etcd-client certificate and key [certs] Generating sa key and public key [kubeconfig] Using kubeconfig folder /etc/kubernetes [kubeconfig] Writing admin.conf kubeconfig file [kubeconfig] Writing kubelet.conf kubeconfig file [kubeconfig] Writing controller-manager.conf kubeconfig file [kubeconfig] Writing scheduler.conf kubeconfig file [control-plane] Using manifest folder /etc/kubernetes/manifests [control-plane] Creating static Pod manifest for kube-apiserver [control-plane] Creating static Pod manifest for kube-controller-manager [control-plane] Creating static Pod manifest for kube-scheduler [etcd] Creating static Pod manifest for local etcd in /etc/kubernetes/manifests [wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory /etc/kubernetes/manifests. This can take up to 4m0s [apiclient] All control plane components are healthy after 24.575209 seconds [upload-config] Storing the configuration used in ConfigMap kubeadm-config in the kube-system Namespace [kubelet] Creating a ConfigMap kubelet-config-1.16 in namespace kube-system with the configuration for the kubelets in the cluster [upload-certs] Skipping phase. Please see --upload-certs [mark-control-plane] Marking the node kub-k8s-master as control-plane by adding the label node-role.kubernetes.io/master [mark-control-plane] Marking the node kub-k8s-master as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule] [bootstrap-token] Using token: 93erio.hbn2ti6z50he0lqs [bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials [bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token [bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster [bootstrap-token] Creating the cluster-info ConfigMap in the kube-public namespace [addons] Applied essential addon: CoreDNS [addons] Applied essential addon: kube-proxy Your Kubernetes control-plane has initialized successfully! To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config You should now deploy a pod network to the cluster. Run kubectl apply -f [podnetwork].yaml with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/ Then you can join any number of worker nodes by running the following on each as root: kubeadm join 192.168.246.166:6443 --token 93erio.hbn2ti6z50he0lqs \ --discovery-token-ca-cert-hash sha256:3bc60f06a19bd09f38f3e05e5cff4299011b7110ca3281796668f4edb29a56d9 #需要记住上面记录了完成的初始化输出的内容根据输出的内容基本上可以看出手动初始化安装一个Kubernetes集群所需要的关键步骤。 其中有以下关键内容 [kubelet] 生成kubelet的配置文件”/var/lib/kubelet/config.yaml” [certificates]生成相关的各种证书 [kubeconfig]生成相关的kubeconfig文件 [bootstraptoken]生成token记录下来后边使用kubeadm join往集群中添加节点时会用到 配置使用kubectl 如下操作在master节点操作 [rootkub-k8s-master ~]# rm -rf $HOME/.kube [rootkub-k8s-master ~]# mkdir -p $HOME/.kube [rootkub-k8s-master ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config [rootkub-k8s-master ~]# chown $(id -u):$(id -g) $HOME/.kube/config 查看node节点 [rootk8s-master ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-master NotReady master 2m41s v1.20.2初始化报错或者node节点加入集群报错该问题是因为docker驱动和k8s驱动不一致导致的修改为一致即可4.10 配置使用网络插件[master]#提前将calico的镜像导入最好所有节点都导入因为不清楚calico会起在哪个节点上要不然还会去官网拉镜像特别慢 # 版本差异 https://projectcalico.docs.tigera.io/archive/v3.20/getting-started/kubernetes/requirements # 部署calico网络插件 curl https://docs.projectcalico.org/v3.20/manifests/calico.yaml -O kubectl apply -f calico.yaml # kubectl get pod -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-system calico-kube-controllers-6d9cdcd744-8jt5g 1/1 Running 0 6m50s kube-system calico-node-rkz4s 1/1 Running 0 6m50s kube-system coredns-74ff55c5b-bcfzg 1/1 Running 0 52m kube-system coredns-74ff55c5b-qxl6z 1/1 Running 0 52m kube-system etcd-kub-k8s-master 1/1 Running 0 53m kube-system kube-apiserver-kub-k8s-master 1/1 Running 0 53m kube-system kube-controller-manager-kub-k8s-master 1/1 Running 0 53m kube-system kube-proxy-gfhkf 1/1 Running 0 52m kube-system kube-scheduler-kub-k8s-master 1/1 Running 0 53m docker.io/calico/node:v3.20.6 docker.io/calico/pod2daemon-flexvol:v3.20.6 docker.io/calico/cni:v3.20.6 docker.io/calico/kube-controllers:v3.20.6以上查看pod可能coredns和calico可能是pending这是因为下载calico的镜像需要等直到全部为runningnode节点上也会自动下载calico镜像如果node节点上没有下载calico镜像那么下面的加入集群可能会有问题如果集群中node节点为notready用以下命令查看calico的pod信息kubectl describe pod calico-kube-controllers-577f77cb5c-k4lc5 -n kube-system如果报错如下则修改calico.yaml指定网卡- name: IP_AUTODETECTION_METHOD value: interfaceens334.11 node加入集群[node]配置node节点加入集群 如果报错开启ip转发 # sysctl -w net.ipv4.ip_forward1 在所有node节点操作此命令为初始化master成功后返回的结果 # kubeadm join 192.168.246.166:6443 --token 93erio.hbn2ti6z50he0lqs \ --discovery-token-ca-cert-hash sha256:3bc60f06a19bd09f38f3e05e5cff4299011b7110ca3281796668f4edb29a56d94.12 后续检查[master]各种检测 1.查看pods: [rootkub-k8s-master ~]# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE coredns-5644d7b6d9-sm8hs 1/1 Running 0 39m coredns-5644d7b6d9-vddll 1/1 Running 0 39m etcd-kub-k8s-master 1/1 Running 0 37m kube-apiserver-kub-k8s-master 1/1 Running 0 38m kube-controller-manager-kub-k8s-master 1/1 Running 0 38m kube-flannel-ds-amd64-9wgd8 1/1 Running 0 38m kube-flannel-ds-amd64-lffc8 1/1 Running 0 2m11s kube-flannel-ds-amd64-m8kk2 1/1 Running 0 2m2s kube-proxy-dwq9l 1/1 Running 0 2m2s kube-proxy-l77lz 1/1 Running 0 2m11s kube-proxy-sgphs 1/1 Running 0 39m kube-scheduler-kub-k8s-master 1/1 Running 0 37m 2.查看节点 [rootkub-k8s-master ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION kub-k8s-master Ready master 43m v1.20.2 kub-k8s-node1 Ready none 6m46s v1.20.2 kub-k8s-node2 Ready none 6m37s v1.20.2 到此集群配置完成错误整理# 如果集群初始化失败(每个节点都要执行然后从4.9开始重新初始化) $ kubeadm reset -f; ipvsadm --clear; rm -rf ~/.kube $ systemctl restart kubelet # 如果忘记token值 $ kubeadm token create --print-join-command $ kubeadm init phase upload-certs --upload-certs四.集群部署Dashboard5.1 部署Dashboard镜像名字kubernetesui/dashboard:v2.4.0 # kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.4.0/aio/deploy/recommended.yaml # kubectl edit svc kubernetes-dashboard -n kubernetes-dashboard # 注意将 type: ClusterIP 改为 type: NodePort # kubectl get svc -A |grep kubernetes-dashboard kubernetes-dashboard dashboard-metrics-scraper ClusterIP 10.107.179.10 none 8000/TCP 38s kubernetes-dashboard kubernetes-dashboard NodePort 10.110.18.72 none 443:32231/TCP 38s5.2 创建访问账号#创建访问账号准备一个yaml文件 vi dash.yaml apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard # kubectl apply -f dash.yaml5.3 获取访问令牌#获取访问令牌 # kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath{.secrets[0].name}) -o go-template{{.data.token | base64decode}} eyJhbGciOiJSUzI1NiIsImtpZCI6ImhRa2Q3UDFGempzb3VneVdUS0R0dk50SHlwUHExc0tuT21SOTdWQkczaG8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXBmbGxyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJlNDk0MTFhYS0zOTVhLTRkYzUtYmZmYS04MDZiODE3M2VmZWEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.k3Gd9vRF6gP3Zxy89x14y4I2RCGn232bGLo9A5iEmeMl6BRPdJXZPbwy9fm3OT6ZjVc7LHiRgArczjZuCU3Sis4tIA_24A55h74WQE_JTeiZ5XnSGRknYQRHFSqyBrTaTxgDJb-O-DHol8GQLQjr6gIPzppHc-RhWhUFFNnPVP1nr2MLFBkvIT_qAcbHP6McFf2N6IsYwVFuvyIO77qWcmyFlgSr8a3A0INEJYB2bFPRL82rNc41c0TsUwOguQbJYrDA9lBqVpSff_7Uk_-7ycabZclbZX1HPz2-F59LQW7NWQy7biZw5b25AZaXAG3kL3SDuRRBoMNS92MmDFsVyA5.4 浏览器访问火狐可直接访问如果想谷歌访问保持焦点在页面内鼠标在页面空白处点击不选中任何按钮直接输入“thisisunsafe”输完后按回车键就可以正常访问网页。任意节点ip端口[上面查看到为32231] https://192.168.246.216:32231/ 使用token登录另外一种图形化插件kuboarddocker run -d–restartunless-stopped–namekuboard-p 80:80/tcp-p 10081:10081/udp-p 10081:10081/tcp-e KUBOARD_ENDPOINT“http://kuboard.my-company.com:80”-e KUBOARD_AGENT_SERVER_UDP_PORT“10081”-e KUBOARD_AGENT_SERVER_TCP_PORT“10081”-v /root/kuboard-data:/dataeipwork/kuboard:v3.1.7.1账号admin密码Kuboard123五.集群常用指令5.1 基础控制指令# 查看对应资源: 状态 $ kubectl get SOURCE_NAME -n NAMESPACE -o wide # 查看对应资源: 事件信息 $ kubectl describe SOURCE_NAME SOURCE_NAME_RANDOM_ID -n NAMESPACE kubectl describe pod kube-proxy-fdvbt -n kube-system # 查看pod资源: 日志 $ kubectl logs -f SOURCE_NAME_RANDOM_ID [CONTINER_NAME] -n NAMESPACE # 创建资源: 根据资源清单 $ kubectl apply[or create] -f SOURCE_FILENAME.yaml # 删除资源: 根据资源清单 $ kubectl delete -f SOURCE_FILENAME.yaml # 修改资源: 根据反射出的etcd中的配置内容, 生产中不允许该项操作, 且命令禁止 $ kubectl edit SOURCE_NAME SOURCE_NAME_RANDOM_ID -n NAMESPACE5.2 命令实践# 查看node状态 $ kubectl get node # -o wide 显示更加详细的信息 # 查看service对象 $ kubectl get svc 或者 kubectl get service # 查看kube-system名称空间内的Pod $ kubectl get pod -n kube-system # 查看所有名称空间内的pod $ kubectl get pod -A # 查看集群信息 $ kubectl cluster-info # 查看各组件信息 $ kubectl -s https://api-server:6443 get componentstatuses # 查看各资源对象对应的api版本 $ kubectl explain pod # 查看帮助信息 $ kubectl explain deployment $ kubectl explain deployment.spec $ kubectl explain deployment.spec.replicas5.3 备注问题一 查看各组件信息可能会发现错误 $ kubectl -s https://192.168.96.143:6443 get componentstatuses Warning: v1 ComponentStatus is deprecated in v1.19 NAME STATUS MESSAGE ERROR scheduler Unhealthy Get http://127.0.0.1:10251/healthz: dial tcp 127.0.0.1:10251: connect: connection refused controller-manager Unhealthy Get http://127.0.0.1:10252/healthz: dial tcp 127.0.0.1:10252: connect: connection refused etcd-0 Healthy {health:true} 问题一解决 $ vim /etc/kubernetes/manifests/kube-scheduler.yaml 10 spec: 11 containers: 12 - command: 13 - kube-scheduler 14 - --authentication-kubeconfig/etc/kubernetes/scheduler.conf 15 - --authorization-kubeconfig/etc/kubernetes/scheduler.conf 16 - --bind-address127.0.0.1 17 - --kubeconfig/etc/kubernetes/scheduler.conf 18 - --leader-electtrue 19 - --port0 # 将此行注释或删除 $ vim /etc/kubernetes/manifests/kube-controller-manager.yaml 10 spec: 11 containers: 12 - command: 13 - kube-controller-manager 14 - --allocate-node-cidrstrue 15 - --authentication-kubeconfig/etc/kubernetes/controller-manager.conf 16 - --authorization-kubeconfig/etc/kubernetes/controller-manager.conf 17 - --bind-address127.0.0.1 18 - --client-ca-file/etc/kubernetes/pki/ca.crt 19 - --cluster-cidr10.244.0.0/16 20 - --cluster-namekubernetes 21 - --cluster-signing-cert-file/etc/kubernetes/pki/ca.crt 22 - --cluster-signing-key-file/etc/kubernetes/pki/ca.key 23 - --controllers*,bootstrapsigner,tokencleaner 24 - --kubeconfig/etc/kubernetes/controller-manager.conf 25 - --port0 # 将此行注释或删除 $ systemctl restart kubelet $ kubectl -s https://192.168.96.143:6443 get componentstatuses Warning: v1 ComponentStatus is deprecated in v1.19 NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-0 Healthy {health:true}六.Yaml语法解析YAML是一个类似 XML、JSON 的标记性语言。它强调以数据为中心并不是以标识语言为重点。因而YAML本身的定义比较简单号称一种人性化的数据格式语言。YAML的语法比较简单主要有下面几个 1、大小写敏感 2、使用缩进表示层级关系 3、缩进不允许使用tab只允许空格( 低版本限制 ) 4、缩进的空格数不重要只要相同层级的元素左对齐即可 5、#表示注释 YAML支持以下几种数据类型 1、纯量单个的、不可再分的值 2、对象键值对的集合又称为映射mapping/ 哈希hash / 字典dictionary 3、数组一组按次序排列的值又称为序列sequence / 列表list 补充说明 1、书写yaml切记: 后面要加一个空格 2、如果需要将多段yaml配置放在一个文件中中间要使用---分隔举个例子通过声明式配置yaml 创建名称空间$ vim namespace.yaml apiVersion: v1 #api版本 kind: Namespace #资源对象类型 metadata: name: webserver $ kubectl apply -f namespace.yaml 查看命名空间 $ kubectl get namespace 或 $ kubectl get ns # 如果通过命令行创建 $ kubectl create namespace webserver # 删除名称空间[注意这将删除名称空间下的所有资源] $ kubectl delete namespace webserver义比较简单号称一种人性化的数据格式语言。YAML的语法比较简单主要有下面几个 1、大小写敏感 2、使用缩进表示层级关系 3、缩进不允许使用tab只允许空格( 低版本限制 ) 4、缩进的空格数不重要只要相同层级的元素左对齐即可 5、#表示注释 YAML支持以下几种数据类型 1、纯量单个的、不可再分的值 2、对象键值对的集合又称为映射mapping/ 哈希hash / 字典dictionary 3、数组一组按次序排列的值又称为序列sequence / 列表list 补充说明 1、书写yaml切记: 后面要加一个空格 2、如果需要将多段yaml配置放在一个文件中中间要使用---分隔举个例子通过声明式配置yaml 创建名称空间$ vim namespace.yaml apiVersion: v1 #api版本 kind: Namespace #资源对象类型 metadata: name: webserver $ kubectl apply -f namespace.yaml 查看命名空间 $ kubectl get namespace 或 $ kubectl get ns # 如果通过命令行创建 $ kubectl create namespace webserver # 删除名称空间[注意这将删除名称空间下的所有资源] $ kubectl delete namespace webserver
Yaml语法解析
发布时间:2026/6/5 16:01:15
一. 常用镜像库daocloud的docker镜像库: daocloud.io/library docker-hub的k8s镜像库 mirrorgooglecontainersaliyun的k8s镜像库registry.cn-hangzhou.aliyuncs.com/google-containersdocker镜像仓库aliyun的docker镜像库web页面 https://cr.console.aliyun.com/cn-hangzhou/images google的镜像库web页面 https://console.cloud.google.com/gcr/images/google-containers?projectgoogle-containers二.集群部署方式方式1. minikubeMinikube是一个工具可以在本地快速运行一个单点的Kubernetes尝试Kubernetes或日常开发的用户使用。不能用于生产环境。 官方地址https://kubernetes.io/docs/setup/minikube/方式2. kubeadmKubeadm也是一个工具提供kubeadm init和kubeadm join用于快速部署Kubernetes集群。 官方地址https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm/方式3. 直接使用epel-release yum源缺点就是版本较低 1.5方式4. 二进制包三.Kubeadm 方式部署集群kubeadm部署官方文档kubeadm部署k8s高可用集群的官方文档主机名地址角色配置k8s-master192.168.246.166主节点2核4Gk8s-node1192.168.246.167工作节点1核2Gk8s-node2192.168.246.169工作节点1核2G4.1获取镜像如果使用提前打包好的镜像以下七个镜像三台节点都需要提前导入谷歌镜像[由于国内网络原因无法下载后续将采用阿里云镜像代替]docker pull k8s.gcr.io/kube-apiserver:v1.20.2 docker pull k8s.gcr.io/kube-proxy:v1.20.2 docker pull k8s.gcr.io/kube-controller-manager:v1.20.2 docker pull k8s.gcr.io/kube-scheduler:v1.20.2 docker pull k8s.gcr.io/etcd:3.3.15 docker pull k8s.gcr.io/pause:3.1 docker pull k8s.gcr.io/coredns:1.6.2特别说明所有机器都必须有镜像 每次部署都会有版本更新具体版本要求运行初始化过程失败会有版本提示 kubeadm的版本和镜像的版本必须是对应的4.2 安装docker[集群]安装docker–三台机器都操作# yum remove docker \ docker-client \ docker-client-latest \ docker-common \ docker-latest \ docker-latest-logrotate \ docker-logrotate \ docker-selinux \ docker-engine-selinux \ docker-engine # yum install -y yum-utils device-mapper-persistent-data lvm2 git # yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo # yum install docker-ce -y 启动并设置开机启动4.3 阿里仓库下载[集群]docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.20.2 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.20.2 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.20.2 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.20.2 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.7.0 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.4.13-0 docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2 # 下载完了之后需要将aliyun下载下来的所有镜像打成k8s.gcr.io/kube-controller-manager:v1.20.2这样的tag docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-controller-manager:v1.20.2 k8s.gcr.io/kube-controller-manager:v1.20.2 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.20.2 k8s.gcr.io/kube-proxy:v1.20.2 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-apiserver:v1.20.2 k8s.gcr.io/kube-apiserver:v1.20.2 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.20.2 k8s.gcr.io/kube-scheduler:v1.20.2 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.7.0 k8s.gcr.io/coredns:1.7.0 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.4.13-0 k8s.gcr.io/etcd:3.4.13-0 docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2 k8s.gcr.io/pause:3.24.4 集群部署[集群]cat /etc/hosts EOF 192.168.200.36 kub-k8s-master 192.168.200.37 kub-k8s-node1 192.168.200.38 kub-k8s-node2 EOF 制作本地解析修改主机名。相互解析4.5 集群环境配置[集群]1.关闭防火墙 # systemctl disable firewalld --now 2.禁用SELinux # setenforce 0 3.编辑文件/etc/selinux/config将SELINUX修改为disabled如下 # sed -i s/SELINUXenforcing/SELINUXdisabled/ /etc/sysconfig/selinux SELINUXdisabled 4.时间同步 # timedatectl set-timezone Asia/Shanghai # yum install -y ntpdate # ntpdate ntp.aliyun.com 5.配置静态ip4.6 关闭系统Swap[集群]Kubernetes 1.8开始要求关闭系统的Swap如果不关闭默认配置下kubelet将无法启动。方法一: 通过kubelet的启动参数–fail-swap-onfalse更改这个限制。方法二: 关闭系统的Swap。1.关闭swap分区 # swapoff -a 修改/etc/fstab文件注释掉SWAP的自动挂载使用free -m确认swap已经关闭。 2.注释掉swap分区 # sed -i s/.*swap.*/#/ /etc/fstab # free -m total used free shared buff/cache available Mem: 3935 144 3415 8 375 3518 Swap: 0 0 04.7 安装Kubeadm包[集群]配置源 # cat EOF /etc/yum.repos.d/kubernetes.repo [kubernetes] nameKubernetes baseurlhttps://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64 enabled1 gpgcheck0 repo_gpgcheck0 gpgkeyhttps://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg EOF所有节点 1.安装对应版本 # yum install -y kubelet-1.20.2-0.x86_64 kubeadm-1.20.2-0.x86_64 kubectl-1.20.2-0.x86_64 ipvsadm 2.加载ipvs相关内核模块 # cat EOF /etc/modules-load.d/ipvs.conf ip_vs ip_vs_lc ip_vs_wlc ip_vs_rr ip_vs_wrr ip_vs_lblc ip_vs_lblcr ip_vs_dh ip_vs_sh ip_vs_nq ip_vs_sed ip_vs_ftp ip_vs_sh nf_conntrack_ipv4 ip_tables ip_set xt_set ipt_set ipt_rpfilter ipt_REJECT ipip EOF 4.配置 配置转发相关参数否则可能会出错 # cat EOF /etc/sysctl.d/k8s.conf net.bridge.bridge-nf-call-ip6tables 1 net.bridge.bridge-nf-call-iptables 1 vm.swappiness0 EOF 5.使配置生效 # sysctl --system 6.如果net.bridge.bridge-nf-call-iptables报错加载br_netfilter模块 # modprobe br_netfilter # sysctl -p /etc/sysctl.d/k8s.conf 重启服务器 7.查看是否加载成功 # lsmod | grep ip_vs4.8 配置启动kubelet[集群]1.配置kubelet使用pause镜像 获取docker的cgroups # DOCKER_CGROUPS$(docker info | grep Cgroup | cut -d -f4) # echo $DOCKER_CGROUPS 配置变量 [rootk8s-master ~]# DOCKER_CGROUPSdocker info |grep Cgroup | awk NR1 {print $3} [rootk8s-master ~]# echo $DOCKER_CGROUPS cgroupfs 2.配置kubelet的cgroups # cat /etc/sysconfig/kubeletEOF KUBELET_EXTRA_ARGS--cgroup-driver$DOCKER_CGROUPS --pod-infra-container-imagek8s.gcr.io/pause:3.2 EOF启动 # systemctl daemon-reload # systemctl enable kubelet systemctl restart kubelet 在这里使用 # systemctl status kubelet你会发现报错误信息 10月 11 00:26:43 node1 systemd[1]: kubelet.service: main process exited, codeexited, status255/n/a 10月 11 00:26:43 node1 systemd[1]: Unit kubelet.service entered failed state. 10月 11 00:26:43 node1 systemd[1]: kubelet.service failed. 运行 # journalctl -xefu kubelet 命令查看systemd日志才发现真正的错误是 unable to load client CA file /etc/kubernetes/pki/ca.crt: open /etc/kubernetes/pki/ca.crt: no such file or directory #这个错误在运行kubeadm init 生成CA证书后会被自动解决此处可先忽略。 #简单地说就是在kubeadm init 之前kubelet会不断重启。4.9 配置master节点[master]运行初始化过程如下 [rootkub-k8s-master]# kubeadm init --kubernetes-versionv1.20.2 --pod-network-cidr10.244.0.0/16 --apiserver-advertise-address192.168.246.166 注 apiserver-advertise-address192.168.246.166 ---master的ip地址。 --kubernetes-versionv1.20.2 --更具具体版本进行修改 如果报错会有版本提示那就是有更新新版本了 [init] Using Kubernetes version: v1.20.2 [preflight] Running pre-flight checks [WARNING IsDockerSystemdCheck]: detected cgroupfs as the Docker cgroup driver. The recommended driver is systemd. Please follow the guide at https://kubernetes.io/docs/setup/cri/ [WARNING SystemVerification]: this Docker version is not on the list of validated versions: 18.03.0-ce. Latest validated version: 18.09 [preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using kubeadm config images pull [kubelet-start] Writing kubelet environment file with flags to file /var/lib/kubelet/kubeadm-flags.env [kubelet-start] Writing kubelet configuration to file /var/lib/kubelet/config.yaml [kubelet-start] Activating the kubelet service [certs] Using certificateDir folder /etc/kubernetes/pki [certs] Generating ca certificate and key [certs] Generating apiserver certificate and key [certs] apiserver serving cert is signed for DNS names [kub-k8s-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 192.168.246.166] [certs] Generating apiserver-kubelet-client certificate and key [certs] Generating front-proxy-ca certificate and key [certs] Generating front-proxy-client certificate and key [certs] Generating etcd/ca certificate and key [certs] Generating etcd/server certificate and key [certs] etcd/server serving cert is signed for DNS names [kub-k8s-master localhost] and IPs [192.168.246.166 127.0.0.1 ::1] [certs] Generating etcd/peer certificate and key [certs] etcd/peer serving cert is signed for DNS names [kub-k8s-master localhost] and IPs [192.168.246.166 127.0.0.1 ::1] [certs] Generating etcd/healthcheck-client certificate and key [certs] Generating apiserver-etcd-client certificate and key [certs] Generating sa key and public key [kubeconfig] Using kubeconfig folder /etc/kubernetes [kubeconfig] Writing admin.conf kubeconfig file [kubeconfig] Writing kubelet.conf kubeconfig file [kubeconfig] Writing controller-manager.conf kubeconfig file [kubeconfig] Writing scheduler.conf kubeconfig file [control-plane] Using manifest folder /etc/kubernetes/manifests [control-plane] Creating static Pod manifest for kube-apiserver [control-plane] Creating static Pod manifest for kube-controller-manager [control-plane] Creating static Pod manifest for kube-scheduler [etcd] Creating static Pod manifest for local etcd in /etc/kubernetes/manifests [wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory /etc/kubernetes/manifests. This can take up to 4m0s [apiclient] All control plane components are healthy after 24.575209 seconds [upload-config] Storing the configuration used in ConfigMap kubeadm-config in the kube-system Namespace [kubelet] Creating a ConfigMap kubelet-config-1.16 in namespace kube-system with the configuration for the kubelets in the cluster [upload-certs] Skipping phase. Please see --upload-certs [mark-control-plane] Marking the node kub-k8s-master as control-plane by adding the label node-role.kubernetes.io/master [mark-control-plane] Marking the node kub-k8s-master as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule] [bootstrap-token] Using token: 93erio.hbn2ti6z50he0lqs [bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles [bootstrap-token] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials [bootstrap-token] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token [bootstrap-token] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster [bootstrap-token] Creating the cluster-info ConfigMap in the kube-public namespace [addons] Applied essential addon: CoreDNS [addons] Applied essential addon: kube-proxy Your Kubernetes control-plane has initialized successfully! To start using your cluster, you need to run the following as a regular user: mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config You should now deploy a pod network to the cluster. Run kubectl apply -f [podnetwork].yaml with one of the options listed at: https://kubernetes.io/docs/concepts/cluster-administration/addons/ Then you can join any number of worker nodes by running the following on each as root: kubeadm join 192.168.246.166:6443 --token 93erio.hbn2ti6z50he0lqs \ --discovery-token-ca-cert-hash sha256:3bc60f06a19bd09f38f3e05e5cff4299011b7110ca3281796668f4edb29a56d9 #需要记住上面记录了完成的初始化输出的内容根据输出的内容基本上可以看出手动初始化安装一个Kubernetes集群所需要的关键步骤。 其中有以下关键内容 [kubelet] 生成kubelet的配置文件”/var/lib/kubelet/config.yaml” [certificates]生成相关的各种证书 [kubeconfig]生成相关的kubeconfig文件 [bootstraptoken]生成token记录下来后边使用kubeadm join往集群中添加节点时会用到 配置使用kubectl 如下操作在master节点操作 [rootkub-k8s-master ~]# rm -rf $HOME/.kube [rootkub-k8s-master ~]# mkdir -p $HOME/.kube [rootkub-k8s-master ~]# cp -i /etc/kubernetes/admin.conf $HOME/.kube/config [rootkub-k8s-master ~]# chown $(id -u):$(id -g) $HOME/.kube/config 查看node节点 [rootk8s-master ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION k8s-master NotReady master 2m41s v1.20.2初始化报错或者node节点加入集群报错该问题是因为docker驱动和k8s驱动不一致导致的修改为一致即可4.10 配置使用网络插件[master]#提前将calico的镜像导入最好所有节点都导入因为不清楚calico会起在哪个节点上要不然还会去官网拉镜像特别慢 # 版本差异 https://projectcalico.docs.tigera.io/archive/v3.20/getting-started/kubernetes/requirements # 部署calico网络插件 curl https://docs.projectcalico.org/v3.20/manifests/calico.yaml -O kubectl apply -f calico.yaml # kubectl get pod -A NAMESPACE NAME READY STATUS RESTARTS AGE kube-system calico-kube-controllers-6d9cdcd744-8jt5g 1/1 Running 0 6m50s kube-system calico-node-rkz4s 1/1 Running 0 6m50s kube-system coredns-74ff55c5b-bcfzg 1/1 Running 0 52m kube-system coredns-74ff55c5b-qxl6z 1/1 Running 0 52m kube-system etcd-kub-k8s-master 1/1 Running 0 53m kube-system kube-apiserver-kub-k8s-master 1/1 Running 0 53m kube-system kube-controller-manager-kub-k8s-master 1/1 Running 0 53m kube-system kube-proxy-gfhkf 1/1 Running 0 52m kube-system kube-scheduler-kub-k8s-master 1/1 Running 0 53m docker.io/calico/node:v3.20.6 docker.io/calico/pod2daemon-flexvol:v3.20.6 docker.io/calico/cni:v3.20.6 docker.io/calico/kube-controllers:v3.20.6以上查看pod可能coredns和calico可能是pending这是因为下载calico的镜像需要等直到全部为runningnode节点上也会自动下载calico镜像如果node节点上没有下载calico镜像那么下面的加入集群可能会有问题如果集群中node节点为notready用以下命令查看calico的pod信息kubectl describe pod calico-kube-controllers-577f77cb5c-k4lc5 -n kube-system如果报错如下则修改calico.yaml指定网卡- name: IP_AUTODETECTION_METHOD value: interfaceens334.11 node加入集群[node]配置node节点加入集群 如果报错开启ip转发 # sysctl -w net.ipv4.ip_forward1 在所有node节点操作此命令为初始化master成功后返回的结果 # kubeadm join 192.168.246.166:6443 --token 93erio.hbn2ti6z50he0lqs \ --discovery-token-ca-cert-hash sha256:3bc60f06a19bd09f38f3e05e5cff4299011b7110ca3281796668f4edb29a56d94.12 后续检查[master]各种检测 1.查看pods: [rootkub-k8s-master ~]# kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE coredns-5644d7b6d9-sm8hs 1/1 Running 0 39m coredns-5644d7b6d9-vddll 1/1 Running 0 39m etcd-kub-k8s-master 1/1 Running 0 37m kube-apiserver-kub-k8s-master 1/1 Running 0 38m kube-controller-manager-kub-k8s-master 1/1 Running 0 38m kube-flannel-ds-amd64-9wgd8 1/1 Running 0 38m kube-flannel-ds-amd64-lffc8 1/1 Running 0 2m11s kube-flannel-ds-amd64-m8kk2 1/1 Running 0 2m2s kube-proxy-dwq9l 1/1 Running 0 2m2s kube-proxy-l77lz 1/1 Running 0 2m11s kube-proxy-sgphs 1/1 Running 0 39m kube-scheduler-kub-k8s-master 1/1 Running 0 37m 2.查看节点 [rootkub-k8s-master ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION kub-k8s-master Ready master 43m v1.20.2 kub-k8s-node1 Ready none 6m46s v1.20.2 kub-k8s-node2 Ready none 6m37s v1.20.2 到此集群配置完成错误整理# 如果集群初始化失败(每个节点都要执行然后从4.9开始重新初始化) $ kubeadm reset -f; ipvsadm --clear; rm -rf ~/.kube $ systemctl restart kubelet # 如果忘记token值 $ kubeadm token create --print-join-command $ kubeadm init phase upload-certs --upload-certs四.集群部署Dashboard5.1 部署Dashboard镜像名字kubernetesui/dashboard:v2.4.0 # kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.4.0/aio/deploy/recommended.yaml # kubectl edit svc kubernetes-dashboard -n kubernetes-dashboard # 注意将 type: ClusterIP 改为 type: NodePort # kubectl get svc -A |grep kubernetes-dashboard kubernetes-dashboard dashboard-metrics-scraper ClusterIP 10.107.179.10 none 8000/TCP 38s kubernetes-dashboard kubernetes-dashboard NodePort 10.110.18.72 none 443:32231/TCP 38s5.2 创建访问账号#创建访问账号准备一个yaml文件 vi dash.yaml apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kubernetes-dashboard --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kubernetes-dashboard # kubectl apply -f dash.yaml5.3 获取访问令牌#获取访问令牌 # kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath{.secrets[0].name}) -o go-template{{.data.token | base64decode}} eyJhbGciOiJSUzI1NiIsImtpZCI6ImhRa2Q3UDFGempzb3VneVdUS0R0dk50SHlwUHExc0tuT21SOTdWQkczaG8ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLXBmbGxyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJlNDk0MTFhYS0zOTVhLTRkYzUtYmZmYS04MDZiODE3M2VmZWEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.k3Gd9vRF6gP3Zxy89x14y4I2RCGn232bGLo9A5iEmeMl6BRPdJXZPbwy9fm3OT6ZjVc7LHiRgArczjZuCU3Sis4tIA_24A55h74WQE_JTeiZ5XnSGRknYQRHFSqyBrTaTxgDJb-O-DHol8GQLQjr6gIPzppHc-RhWhUFFNnPVP1nr2MLFBkvIT_qAcbHP6McFf2N6IsYwVFuvyIO77qWcmyFlgSr8a3A0INEJYB2bFPRL82rNc41c0TsUwOguQbJYrDA9lBqVpSff_7Uk_-7ycabZclbZX1HPz2-F59LQW7NWQy7biZw5b25AZaXAG3kL3SDuRRBoMNS92MmDFsVyA5.4 浏览器访问火狐可直接访问如果想谷歌访问保持焦点在页面内鼠标在页面空白处点击不选中任何按钮直接输入“thisisunsafe”输完后按回车键就可以正常访问网页。任意节点ip端口[上面查看到为32231] https://192.168.246.216:32231/ 使用token登录另外一种图形化插件kuboarddocker run -d–restartunless-stopped–namekuboard-p 80:80/tcp-p 10081:10081/udp-p 10081:10081/tcp-e KUBOARD_ENDPOINT“http://kuboard.my-company.com:80”-e KUBOARD_AGENT_SERVER_UDP_PORT“10081”-e KUBOARD_AGENT_SERVER_TCP_PORT“10081”-v /root/kuboard-data:/dataeipwork/kuboard:v3.1.7.1账号admin密码Kuboard123五.集群常用指令5.1 基础控制指令# 查看对应资源: 状态 $ kubectl get SOURCE_NAME -n NAMESPACE -o wide # 查看对应资源: 事件信息 $ kubectl describe SOURCE_NAME SOURCE_NAME_RANDOM_ID -n NAMESPACE kubectl describe pod kube-proxy-fdvbt -n kube-system # 查看pod资源: 日志 $ kubectl logs -f SOURCE_NAME_RANDOM_ID [CONTINER_NAME] -n NAMESPACE # 创建资源: 根据资源清单 $ kubectl apply[or create] -f SOURCE_FILENAME.yaml # 删除资源: 根据资源清单 $ kubectl delete -f SOURCE_FILENAME.yaml # 修改资源: 根据反射出的etcd中的配置内容, 生产中不允许该项操作, 且命令禁止 $ kubectl edit SOURCE_NAME SOURCE_NAME_RANDOM_ID -n NAMESPACE5.2 命令实践# 查看node状态 $ kubectl get node # -o wide 显示更加详细的信息 # 查看service对象 $ kubectl get svc 或者 kubectl get service # 查看kube-system名称空间内的Pod $ kubectl get pod -n kube-system # 查看所有名称空间内的pod $ kubectl get pod -A # 查看集群信息 $ kubectl cluster-info # 查看各组件信息 $ kubectl -s https://api-server:6443 get componentstatuses # 查看各资源对象对应的api版本 $ kubectl explain pod # 查看帮助信息 $ kubectl explain deployment $ kubectl explain deployment.spec $ kubectl explain deployment.spec.replicas5.3 备注问题一 查看各组件信息可能会发现错误 $ kubectl -s https://192.168.96.143:6443 get componentstatuses Warning: v1 ComponentStatus is deprecated in v1.19 NAME STATUS MESSAGE ERROR scheduler Unhealthy Get http://127.0.0.1:10251/healthz: dial tcp 127.0.0.1:10251: connect: connection refused controller-manager Unhealthy Get http://127.0.0.1:10252/healthz: dial tcp 127.0.0.1:10252: connect: connection refused etcd-0 Healthy {health:true} 问题一解决 $ vim /etc/kubernetes/manifests/kube-scheduler.yaml 10 spec: 11 containers: 12 - command: 13 - kube-scheduler 14 - --authentication-kubeconfig/etc/kubernetes/scheduler.conf 15 - --authorization-kubeconfig/etc/kubernetes/scheduler.conf 16 - --bind-address127.0.0.1 17 - --kubeconfig/etc/kubernetes/scheduler.conf 18 - --leader-electtrue 19 - --port0 # 将此行注释或删除 $ vim /etc/kubernetes/manifests/kube-controller-manager.yaml 10 spec: 11 containers: 12 - command: 13 - kube-controller-manager 14 - --allocate-node-cidrstrue 15 - --authentication-kubeconfig/etc/kubernetes/controller-manager.conf 16 - --authorization-kubeconfig/etc/kubernetes/controller-manager.conf 17 - --bind-address127.0.0.1 18 - --client-ca-file/etc/kubernetes/pki/ca.crt 19 - --cluster-cidr10.244.0.0/16 20 - --cluster-namekubernetes 21 - --cluster-signing-cert-file/etc/kubernetes/pki/ca.crt 22 - --cluster-signing-key-file/etc/kubernetes/pki/ca.key 23 - --controllers*,bootstrapsigner,tokencleaner 24 - --kubeconfig/etc/kubernetes/controller-manager.conf 25 - --port0 # 将此行注释或删除 $ systemctl restart kubelet $ kubectl -s https://192.168.96.143:6443 get componentstatuses Warning: v1 ComponentStatus is deprecated in v1.19 NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-0 Healthy {health:true}六.Yaml语法解析YAML是一个类似 XML、JSON 的标记性语言。它强调以数据为中心并不是以标识语言为重点。因而YAML本身的定义比较简单号称一种人性化的数据格式语言。YAML的语法比较简单主要有下面几个 1、大小写敏感 2、使用缩进表示层级关系 3、缩进不允许使用tab只允许空格( 低版本限制 ) 4、缩进的空格数不重要只要相同层级的元素左对齐即可 5、#表示注释 YAML支持以下几种数据类型 1、纯量单个的、不可再分的值 2、对象键值对的集合又称为映射mapping/ 哈希hash / 字典dictionary 3、数组一组按次序排列的值又称为序列sequence / 列表list 补充说明 1、书写yaml切记: 后面要加一个空格 2、如果需要将多段yaml配置放在一个文件中中间要使用---分隔举个例子通过声明式配置yaml 创建名称空间$ vim namespace.yaml apiVersion: v1 #api版本 kind: Namespace #资源对象类型 metadata: name: webserver $ kubectl apply -f namespace.yaml 查看命名空间 $ kubectl get namespace 或 $ kubectl get ns # 如果通过命令行创建 $ kubectl create namespace webserver # 删除名称空间[注意这将删除名称空间下的所有资源] $ kubectl delete namespace webserver义比较简单号称一种人性化的数据格式语言。YAML的语法比较简单主要有下面几个 1、大小写敏感 2、使用缩进表示层级关系 3、缩进不允许使用tab只允许空格( 低版本限制 ) 4、缩进的空格数不重要只要相同层级的元素左对齐即可 5、#表示注释 YAML支持以下几种数据类型 1、纯量单个的、不可再分的值 2、对象键值对的集合又称为映射mapping/ 哈希hash / 字典dictionary 3、数组一组按次序排列的值又称为序列sequence / 列表list 补充说明 1、书写yaml切记: 后面要加一个空格 2、如果需要将多段yaml配置放在一个文件中中间要使用---分隔举个例子通过声明式配置yaml 创建名称空间$ vim namespace.yaml apiVersion: v1 #api版本 kind: Namespace #资源对象类型 metadata: name: webserver $ kubectl apply -f namespace.yaml 查看命名空间 $ kubectl get namespace 或 $ kubectl get ns # 如果通过命令行创建 $ kubectl create namespace webserver # 删除名称空间[注意这将删除名称空间下的所有资源] $ kubectl delete namespace webserver
![供应商在SAP里提交的单据,能不能自动审核?[2026实战指南] 实在Agent驱动的财税一体化智能审核方案](http://pic.xiahunao.cn/yaotu/供应商在SAP里提交的单据,能不能自动审核?[2026实战指南] 实在Agent驱动的财税一体化智能审核方案)
