二进制部署kubernetes_lookNo施的博客-程序员ITS301

技术标签: kubernetes  运维  实用知识  linux  kubernates  

2.基础环境准备

2.1 系统基础设置(所有机器都要执行)

2.1.1 设置主机名

hostnamectl set-hostname hdss7-xx.host.com

2.1.2 设置网卡

~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO=none
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="aa2c9856-6a9c-4e96-a9f0-1de9a6581d78"
DEVICE="ens33"
ONBOOT="yes"
IPADDR=10.4.7.xx
NETMASK=255.255.255.0
GATEWAY=10.4.7.254
DNS1=10.4.7.254

2.1.3 关闭防火墙与seliunx

 ~]# systemctl stop firewalld
 ~]# systemctl disable firewalld
 ~]# setenforce 0
setenforce: SELinux is disabled
 ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config

2.1.4 设置yum源

wget -O /etc/yum.repos.d/CentOS-Base.repo  http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel.repo  http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache

2.1.5 安装常用工具

yum install wget net-tools telnet tree nmap sysstat lrzsz dos2unix bind-utils -y

2.2 在hdss7-11.host.com 上安装bind服务(DNS服务)

2.2.1 安装bind 9

yum install bind -y

2.2.2 配置bind 9

vi /etc/named.conf
listen-on port 53 {
     10.4.7.11; }; 
allow-query     {
     any; };
forwarders      {
     10.4.7.254; };
recursion yes;
dnssec-enable no;
dnssec-validation no
vi /etc/named.rfc1912.zones
zone "host.com" IN {
    
        type  master;
        file  "host.com.zone";
        allow-update {
     10.4.7.11; };
};

zone "od.com" IN {
    
        type  master;
        file  "od.com.zone";
        allow-update {
     10.4.7.11; };
};
vi  /var/named/host.com.zone
$ORIGIN host.com.
$TTL 600    ; 10 minutes
@       IN SOA  dns.host.com. dnsadmin.host.com. (
                2021123101 ; serial
                10800      ; refresh (3 hours)
                900        ; retry (15 minutes)
                604800     ; expire (1 week)
                86400      ; minimum (1 day)
                )
            NS   dns.host.com.
$TTL 60 ; 1 minute
dns                A    10.4.7.11
HDSS7-11           A    10.4.7.11
HDSS7-12           A    10.4.7.12
HDSS7-21           A    10.4.7.21
HDSS7-22           A    10.4.7.22
HDSS7-200          A    10.4.7.200
vi  /var/named/od.com.zone
$ORIGIN od.com.
$TTL 600    ; 10 minutes
@           IN SOA  dns.od.com. dnsadmin.od.com. (
                2021123101 ; serial
                10800      ; refresh (3 hours)
                900        ; retry (15 minutes)
                604800     ; expire (1 week)
                86400      ; minimum (1 day)
                )
                NS   dns.od.com.
$TTL 60 ; 1 minute
dns                A    10.4.7.11

2.2.3检查配置并启动bind 9

named-checkconf
systemctl start named ; systemctl enable named
netstat -lntup|grep 53
[[email protected] ~]# dig -t A hdss7-11.host.com @10.4.7.11 +short
10.4.7.11
[[email protected] ~]# dig -t A hdss7-12.host.com @10.4.7.11  +short
10.4.7.12
[[email protected] ~]# dig -t A hdss7-21.host.com @10.4.7.11  +short
10.4.7.21
[[email protected] ~]# dig -t A hdss7-22.host.com @10.4.7.11  +short
10.4.7.22
[[email protected] ~]# dig -t A hdss7-200.host.com @10.4.7.11  +short
10.4.7.200

2.2.4配置DNS客户端

Linux所有主机

vi /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=10.4.7.11
##########
vi /etc/resolv.conf
search host.com
nameserver 10.4.7.11
##########
systemctl restart network

windows主机

wmnet8网卡更改DNS:10.4.7.11

2.2.5 检查

Linux

ping www.baidu.com
ping hdss7-200

Windows

ping hdss7-200.host.com

2.3 准备签发证书环境(hdss7-200.host.com 上)

2.3.1 安装cfssl

wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/bin/cfssl-json
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/bin/cfssl-certinfo
chmod +x /usr/bin/cfssl*

2.3.2 创建生成ca证书csr的json配置文件

mkdir /opt/certs
vi  /opt/certs/ca-csr.json
{
    
    "CN": "OldboyEdu",
    "hosts": [
    ],
    "key": {
    
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
    
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ],
    "ca": {
    
        "expiry": "175200h"
    }
}

CN: Common Name ,浏览器使用该字段验证网站是否合法, 一般写的是域名。非常重要。浏览器使
用该字段验证网站是否合法C: Country,国家ST:State,州,省L: Locality ,地区,城市O: Organization Name ,组织名称,公司名称OU: Organization Unit Name ,组织单位名称,公司部门

2.3.3 生成ca证书文件

[[email protected] ~]# cd /opt/certs
[[email protected] certs]# cfssl gencert -initca ca-csr.json | cfssl-json -bare ca
2022/01/01 00:23:57 [INFO] generating a new CA key and certificate from CSR
2022/01/01 00:23:57 [INFO] generate received request
2022/01/01 00:23:57 [INFO] received CSR
2022/01/01 00:23:57 [INFO] generating key: rsa-2048
2022/01/01 00:23:57 [INFO] encoded CSR
2022/01/01 00:23:57 [INFO] signed certificate with serial number 414378800613023828612486869637956318037852248341
[[email protected] certs]# ll
总用量 16
-rw-r--r-- 1 root root  993 1月   1 00:23 ca.csr
-rw-r--r-- 1 root root  328 1月   1 00:23 ca-csr.json
-rw------- 1 root root 1679 1月   1 00:23 ca-key.pem
-rw-r--r-- 1 root root 1346 1月   1 00:23 ca.pem
[[email protected] certs]# 

2.4 部署docker (hdss7-21.host.com,hdss7-22.host.com,hdss7-200.host.com上)

2.4.1 安装

curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun

2.4.2 配置docker

mkdir  /etc/docker
vi  /etc/docker/daemon.json
{
    
  "graph": "/data/docker",
  "storage-driver": "overlay2",
  "insecure-registries": ["registry.access.redhat.com","quay.io","harbor.od.com"],
  "registry-mirrors": ["https://q2gr04ke.mirror.aliyuncs.com"],
  "bip": "172.7.21.1/24",
  "exec-opts": ["native.cgroupdriver=systemd"],
  "live-restore": true
}

bip要根据宿主机ip变化
注意:hdss7-21.host.com bip 172.7.21.1/24
hdss7-22.host.com bip 172.7.22.1/24
hdss7-200.host.com bip 172.7.200.1/24

2.4.3 启动

mkdir -p /data/docker
systemctl start docker
systemctl enable docker
docker --version

2.5部署docker镜像私有仓库harbor(hdss7-200.host.com 上)

2.5.1 下载软件并解压

~]# cd /opt/src
 src]# wget https://github.com/goharbor/harbor/releases/download/v1.9.4/harbor-offline-installer-v1.9.4.tgz
 src]# mv harbor /opt/harbor-v1.9.4
 src]# ln -s /opt/harbor-v1.9.4 /opt/harbor

2.5.2 配置

[[email protected] opt]# vi /opt/harbor/harbor.yml
hostname: harbor.od.com
http:
  port: 180
 harbor_admin_password:Harbor12345
data_volume: /data/harbor
log:
    level:  info
    rotate_count:  50
    rotate_size:200M
    location: /data/harbor/logs

[[email protected] opt]# mkdir -p /data/harbor/logs

2.5.3 安装docker-compose

[[email protected] opt]# yum install docker-compose -y

2.5.4 安装harbor

[[email protected] opt]# cd harbor
[[email protected] harbor]# ./install.sh 


 ----Harbor has been installed and started successfully.----

Now you should be able to visit the admin portal at http://harbor.od.com. 
For more details, please visit https://github.com/goharbor/harbor .

2.5.5 检查

[[email protected] harbor]# docker-compose ps 
      Name                     Command               State                   Ports                 
---------------------------------------------------------------------------------------------------
harbor-core         /harbor/harbor_core              Up                                            
harbor-db           /docker-entrypoint.sh            Up      5432/tcp                              
harbor-jobservice   /harbor/harbor_jobservice  ...   Up                                            
harbor-log          /bin/sh -c /usr/local/bin/ ...   Up      127.0.0.1:1514->10514/tcp             
harbor-portal       nginx -g daemon off;             Up      8080/tcp                              
nginx               nginx -g daemon off;             Up      0.0.0.0:180->8080/tcp,:::180->8080/tcp
redis               redis-server /etc/redis.conf     Up      6379/tcp                              
registry            /entrypoint.sh /etc/regist ...   Up      5000/tcp                              
registryctl         /harbor/start.sh                 Up                                       

2.5.6 设置harbor开机启动

[[email protected] harbor]# vim /etc/rc.d/rc.local  # 增加以下内容
# start harbor
cd /opt/harbor
/usr/docker-compose stop
/usr/docker-compose start

2.5.7 配置harbor的dns内网解析(hdss7-11)

[[email protected] ~]# vi /var/named/od.com.zone
2021123102 ; serial
harbor             A    10.4.7.200
[[email protected] ~]# systemctl restart named
[[email protected] ~]# dig -t A harbor.od.com +short
10.4.7.200

2.5.8 安装NGINX并配置

[[email protected] harbor]# yum install nginx -y
[[email protected] harbor]# vi /etc/nginx/conf.d/harbor.od.com.conf
server {
    
    listen       80;
    server_name  harbor.od.com;

    client_max_body_size 1000m;

    location / {
    
        proxy_pass http://127.0.0.1:180;
    }
}
[[email protected] harbor]# nginx -t
[[email protected] harbor]# systemctl start nginx
[[email protected] harbor]# systemctl enable nginx

2.5.9 浏览器打开harbor.od.com并测试

1、浏览器输入:harbor.od.com 用户名:admin 密码:Harbor12345

2、新建项目:public 访问级别:公开

3、下载镜像并给镜像打tag

[[email protected] harbor]# docker pull nginx:1.7.9
[[email protected] harbor]# docker images |grep 1.7.9
[[email protected] harbor]# docker tag 84581e99d807 harbor.od.com/public/nginx:v1.7.9

4、登录harbor并上传到仓库

[[email protected] harbor]# docker login harbor.od.com
[[email protected] harbor]# docker push harbor.od.com/public/nginx:v1.7.9

3 部署master节点

3.1 部署etcd集群(hdss7-12,hdss7-21,hdss7-22)

etcd 的leader选举机制,要求至少为3台或以上的奇数台。

3.1.1 签发etcd证书( hdss7-200)

● 创建ca的json配置: /opt/certs/ca-config.json
○ server 表示服务端连接客户端时携带的证书,用于客户端验证服务端身份
○ client 表示客户端连接服务端时携带的证书,用于服务端验证客户端身份
○ peer 表示相互之间连接时使用的证书,如etcd节点之间验证

[[email protected] ~]# vi /opt/certs/ca-config.json
{
    
    "signing": {
    
        "default": {
    
            "expiry": "175200h"
        },
        "profiles": {
    
            "server": {
    
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
    
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
    
                "expiry": "175200h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
} 

● 创建etcd证书配置:/opt/certs/etcd-peer-csr.json
重点在hosts上,将所有可能的etcd服务器添加到host列表,不能使用网段,新增etcd服务器需要重新签发证书

[[email protected] ~]# vi /opt/certs/etcd-peer-csr.json
{
    
    "CN": "k8s-etcd",
    "hosts": [
        "10.4.7.11",
        "10.4.7.12",
        "10.4.7.21",
        "10.4.7.22"
    ],
    "key": {
    
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
    
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}

● 签发证书与检查

[[email protected] ~]# cd /opt/certs/
[[email protected] certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=peer etcd-peer-csr.json |cfssl-json -bare etcd-peer
[[email protected] certs]# ll
etcd-peer.csr
etcd-peer-csr.json
etcd-peer-key.pem
etcd-peer.pem

3.1.2 安装etcd(hdss7-12,hdss7-21,hdss7-22)

创建etcd用户

[[email protected] ~]# useradd -s /sbin/nologin -M etcd

下载软件,解压,做软连接

[[email protected] src]# wget https://github.com/etcd-io/etcd/releases/download/v3.1.20/etcd-v3.1.20-linux-amd64.tar.gz
[[email protected] src]# tar xf etcd-v3.1.20-linux-amd64.tar.gz -C /opt/
[[email protected] src]# cd ..
[[email protected] opt]# mv etcd-v3.1.20-linux-amd64/ etcd-v3.1.20
[[email protected] opt]# ln -s /opt/etcd-v3.1.20/ /opt/etcd

创建目录,拷贝证书文件

[[email protected] opt]# mkdir -p /opt/etcd/certs /data/etcd /data/logs/etcd-server

拷贝生成的证书文件

[[email protected] certs]# scp hdss7-200:/opt/certs/ca.pem .
[[email protected] certs]# scp hdss7-200:/opt/certs/etcd-peer.pem .
[[email protected] certs]# scp hdss7-200:/opt/certs/etcd-peer-key.pem .

创建etcd服务启动脚本

[[email protected] ~]# vi /opt/etcd/etcd-server-startup.sh
#!/bin/sh
./etcd --name etcd-server-7-12 \
       --data-dir /data/etcd/etcd-server \
       --listen-peer-urls https://10.4.7.12:2380 \
       --listen-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
       --quota-backend-bytes 8000000000 \
       --initial-advertise-peer-urls https://10.4.7.12:2380 \
       --advertise-client-urls https://10.4.7.12:2379,http://127.0.0.1:2379 \
       --initial-cluster  etcd-server-7-12=https://10.4.7.12:2380,etcd-server-7-21=https://10.4.7.21:2380,etcd-server-7-22=https://10.4.7.22:2380 \
       --ca-file ./certs/ca.pem \
       --cert-file ./certs/etcd-peer.pem \
       --key-file ./certs/etcd-peer-key.pem \
       --client-cert-auth  \
       --trusted-ca-file ./certs/ca.pem \
       --peer-ca-file ./certs/ca.pem \
       --peer-cert-file ./certs/etcd-peer.pem \
       --peer-key-file ./certs/etcd-peer-key.pem \
       --peer-client-cert-auth \
       --peer-trusted-ca-file ./certs/ca.pem \
       --log-output stdout
[[email protected] ~]# chmod +x /opt/etcd/etcd-server-startup.sh

授权目录权限

[[email protected] ~]# chown -R etcd.etcd /opt/etcd-v3.1.20/   /data/etcd/  /data/logs/etcd-server/

安装supervisor软件

[[email protected] ~]# yum install supervisor -y
[[email protected] ~]# systemctl start supervisord
[[email protected] ~]# systemctl enable supervisord
[[email protected] ~]# vi /etc/supervisord.d/etcd-server.ini
[program:etcd-server-7-12]
command=/opt/etcd/etcd-server-startup.sh                        ; the program (relative uses PATH, can take args)
numprocs=1                                                      ; number of processes copies to start (def 1)
directory=/opt/etcd                                             ; directory to cwd to before exec (def no cwd)
autostart=true                                                  ; start at supervisord start (default: true)
autorestart=true                                                ; retstart at unexpected quit (default: true)
startsecs=30                                                    ; number of secs prog must stay running (def. 1)
startretries=3                                                  ; max # of serial start failures (default 3)
exitcodes=0,2                                                   ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                                 ; signal used to kill process (default TERM)
stopwaitsecs=10                                                 ; max num secs to wait b4 SIGKILL (default 10)
user=etcd                                                       ; setuid to this UNIX account to run the program
redirect_stderr=true                                            ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/etcd-server/etcd.stdout.log           ; stdout log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                    ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                        ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                     ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                                     ; emit events on stdout writes (default false)

启动etcd服务并检查

[[email protected] ~]# supervisorctl update
[[email protected] ~]# supervisorctl status
[[email protected] ~]# netstat -lntup|grep etcd

检查集群状态

[[email protected] etcd]# ./etcdctl  cluster-health
[[email protected] etcd]# ./etcdctl member list

不同的地方

/opt/etcd/etcd-server-startup.sh
--name
--listen-peer-urls
--listen-client-urls
--initial-advertise-peer-urls
--advertise-client-urls
##########
/etc/supervisord.d/etcd-server.ini

3.2 部署kube-apiserver集群(hdss7-21,hdss7-22)

3.2.1 hdss7-200.host.com上签发client证书

创建生成证书csr的json配置文件

[[email protected] certs]#  vi /opt/certs/client-csr.json
{
    
    "CN": "k8s-node",
    "hosts": [
    ],
    "key": {
    
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
    
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}

生成client证书文件

[[email protected] certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json |cfssl-json -bare client

检查生成的证书文件

[[email protected] certs]# ll
client.csr
client-csr.json
client-key.pem
client.pem

3.2.2 hdss7-200.host.com上签发kube-apiserver证书

创建生成证书csr的json配置文件

[[email protected] certs]# vi /opt/certs/apiserver-csr.json
{
    
    "CN": "k8s-apiserver",
    "hosts": [
        "127.0.0.1",
        "192.168.0.1",
        "kubernetes.default",
        "kubernetes.default.svc",
        "kubernetes.default.svc.cluster",
        "kubernetes.default.svc.cluster.local",
        "10.4.7.10",
        "10.4.7.21",
        "10.4.7.22",
        "10.4.7.23"
    ],
    "key": {
    
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
    
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}

生成kube-apiserver证书文件

[[email protected] certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server apiserver-csr.json |cfssl-json -bare apiserver

检查生成的证书文件

[[email protected] certs]# ll
apiserver.csr
apiserver-csr.json
apiserver-key.pem
apiserver.pem

3.2.3 下载kubernetes服务端(hdss7-21,hdss7-22)

下载 kubernetes 二进制版本包需要科学上网工具
● 进入kubernetes的github页面: https://github.com/kubernetes/kubernetes
● 进入tags页签: https://github.com/kubernetes/kubernetes/tags
● 选择要下载的版本: https://github.com/kubernetes/kubernetes/releases/tag/v1.15.2
● 点击 CHANGELOG-${version}.md 进入说明页面: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md#downloads-for-v1152
● 下载Server Binaries: https://dl.k8s.io/v1.15.2/kubernetes-server-linux-amd64.tar.gz

[[email protected] ~]# cd /opt/src
[[email protected] src]# wget https://dl.k8s.io/v1.15.2/kubernetes-server-linux-amd64.tar.gz
[[email protected] src]# tar -xf kubernetes-server-linux-amd64.tar.gz 
[[email protected] src]# mv kubernetes /opt/kubernetes-v1.15.2
[[email protected] opt]# ln -s /opt/kubernetes-v1.15.2/ /opt/kubernetes
[[email protected] opt]# cd kubernetes
[[email protected] kubernetes]# rm -rf kubernetes-src.tar.gz
[[email protected] kubernetes]# cd server/bin
[[email protected] bin]# rm -f *.tar
[[email protected] bin]# rm -f *_tag
[[email protected] bin]# ll

拷贝证书文件到/opt/kubernetes/server/bin/cert目录下

[[email protected] cert]# scp hdss7-200:/opt/certs/ca.pem .
[[email protected] cert]# scp hdss7-200:/opt/certs/ca-key.pem .
[[email protected] cert]# scp hdss7-200:/opt/certs/client.pem .
[[email protected] cert]# scp hdss7-200:/opt/certs/client-key.pem .
[[email protected] cert]# scp hdss7-200:/opt/certs/apiserver.pem .
[[email protected] cert]# scp hdss7-200:/opt/certs/apiserver-key.pem .

创建配置

[[email protected] bin]# mkdir conf
[[email protected] conf]# vi audit.yaml
apiVersion: audit.k8s.io/v1beta1 # This is required.
kind: Policy
# Don't generate audit events for all requests in RequestReceived stage.
omitStages:
  - "RequestReceived"
rules:
  # Log pod changes at RequestResponse level
  - level: RequestResponse
    resources:
    - group: ""
      # Resource "pods" doesn't match requests to any subresource of pods,
      # which is consistent with the RBAC policy.
      resources: ["pods"]
  # Log "pods/log", "pods/status" at Metadata level
  - level: Metadata
    resources:
    - group: ""
      resources: ["pods/log", "pods/status"]

  # Don't log requests to a configmap called "controller-leader"
  - level: None
    resources:
    - group: ""
      resources: ["configmaps"]
      resourceNames: ["controller-leader"]

  # Don't log watch requests by the "system:kube-proxy" on endpoints or services
  - level: None
    users: ["system:kube-proxy"]
    verbs: ["watch"]
    resources:
    - group: "" # core API group
      resources: ["endpoints", "services"]

  # Don't log authenticated requests to certain non-resource URL paths.
  - level: None
    userGroups: ["system:authenticated"]
    nonResourceURLs:
    - "/api*" # Wildcard matching.
    - "/version"

  # Log the request body of configmap changes in kube-system.
  - level: Request
    resources:
    - group: "" # core API group
      resources: ["configmaps"]
    # This rule only applies to resources in the "kube-system" namespace.
    # The empty string "" can be used to select non-namespaced resources.
    namespaces: ["kube-system"]

  # Log configmap and secret changes in all other namespaces at the Metadata level.
  - level: Metadata
    resources:
    - group: "" # core API group
      resources: ["secrets", "configmaps"]

  # Log all other resources in core and extensions at the Request level.
  - level: Request
    resources:
    - group: "" # core API group
    - group: "extensions" # Version of group should NOT be included.

  # A catch-all rule to log all other requests at the Metadata level.
  - level: Metadata
    # Long-running requests like watches that fall under this rule will not
    # generate an audit event in RequestReceived.
    omitStages:
      - "RequestReceived"

创建apiserver启动脚本

[[email protected] bin]# vi /opt/kubernetes/server/bin/kube-apiserver.sh
#!/bin/bash
./kube-apiserver \
  --apiserver-count 2 \
  --audit-log-path /data/logs/kubernetes/kube-apiserver/audit-log \
  --audit-policy-file ./conf/audit.yaml \
  --authorization-mode RBAC \
  --client-ca-file ./cert/ca.pem \
  --requestheader-client-ca-file ./cert/ca.pem \
  --enable-admission-plugins NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota \
  --etcd-cafile ./cert/ca.pem \
  --etcd-certfile ./cert/client.pem \
  --etcd-keyfile ./cert/client-key.pem \
  --etcd-servers https://10.4.7.12:2379,https://10.4.7.21:2379,https://10.4.7.22:2379 \
  --service-account-key-file ./cert/ca-key.pem \
  --service-cluster-ip-range 192.168.0.0/16 \
  --service-node-port-range 3000-29999 \
  --target-ram-mb=1024 \
  --kubelet-client-certificate ./cert/client.pem \
  --kubelet-client-key ./cert/client-key.pem \
  --log-dir  /data/logs/kubernetes/kube-apiserver \
  --tls-cert-file ./cert/apiserver.pem \
  --tls-private-key-file ./cert/apiserver-key.pem \
  --v 2

授权和创建目录

 [[email protected] bin]# chmod +x kube-apiserver.sh
 [[email protected] bin]# mkdir -p /data/logs/kubernetes/kube-apiserver

创建supervisor配置

[[email protected] bin]#  vi /etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-7-21]
command=/opt/kubernetes/server/bin/kube-apiserver.sh            ; the program (relative uses PATH, can take args)
numprocs=1                                                      ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin                            ; directory to cwd to before exec (def no cwd)
autostart=true                                                  ; start at supervisord start (default: true)
autorestart=true                                                ; retstart at unexpected quit (default: true)
startsecs=30                                                    ; number of secs prog must stay running (def. 1)
startretries=3                                                  ; max # of serial start failures (default 3)
exitcodes=0,2                                                   ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                                 ; signal used to kill process (default TERM)
stopwaitsecs=10                                                 ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                       ; setuid to this UNIX account to run the program
redirect_stderr=true                                            ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-apiserver/apiserver.stdout.log        ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                    ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                        ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                     ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                                     ; emit events on stdout writes (default false)

启动服务并检查

[[email protected] bin]# supervisorctl update
[[email protected] bin]# supervisorctl status
[[email protected] bin]# netstat -nltup|grep kube-api

不同的地方

/etc/supervisord.d/kube-apiserver.ini
[program:kube-apiserver-7-21]

3.3 部署四层反向代理(hdss7-11、hdss7-12)

3.3.1 安装NGINX和keepalived

hdss7-11.host.com和hdss7-12.host.com都安装NGINX和keepalived
安装nginx所有的动态模块

[[email protected] ~]# yum install nginx keepalived -y
[[email protected] ~]# yum install -y nginx-all-modules

hdss7-11.host.com和hdss7-12.host.com配置NGINX

[[email protected] ~]# vi /etc/nginx/nginx.conf
stream {
    
    upstream kube-apiserver {
    
        server 10.4.7.21:6443     max_fails=3 fail_timeout=30s;
        server 10.4.7.22:6443     max_fails=3 fail_timeout=30s;
    }
    server {
    
        listen 7443;
        proxy_connect_timeout 2s;
        proxy_timeout 900s;
        proxy_pass kube-apiserver;
    }
}
[[email protected] ~]# nginx -t

hdss7-11.host.com和hdss7-12.host.com配置keepalived
check_port.sh hdss7-11.host.com和hdss7-12.host.com都要配置
注意:检查自己网卡名,修改配置中的interface

[[email protected] ~]# vi /etc/keepalived/check_port.sh
#!/bin/bash
#keepalived 监控端口脚本
#使用方法:
#在keepalived的配置文件中
#vrrp_script check_port {#创建一个vrrp_script脚本,检查配置
#    script "/etc/keepalived/check_port.sh 6379" #配置监听的端口
#    interval 2 #检查脚本的频率,单位(秒)
#}
CHK_PORT=$1
if [ -n "$CHK_PORT" ];then
        PORT_PROCESS=`ss -lnt|grep $CHK_PORT|wc -l`
        if [ $PORT_PROCESS -eq 0 ];then
                echo "Port $CHK_PORT Is Not Used,End."
                exit 1
        fi
else
        echo "Check Port Cant Be Empty!"
fi

[[email protected] ~]# chmod +x /etc/keepalived/check_port.sh
##########
配置文件
keepalived 主:
[[email protected] conf.d]# vi /etc/keepalived/keepalived.conf 

! Configuration File for keepalived

global_defs {
    
   router_id 10.4.7.11

}

vrrp_script chk_nginx {
    
    script "/etc/keepalived/check_port.sh 7443"
    interval 2
    weight -20
}

vrrp_instance VI_1 {
    
    state MASTER
    interface eth0
    virtual_router_id 251
    priority 100
    advert_int 1
    mcast_src_ip 10.4.7.11
    nopreempt

    authentication {
    
        auth_type PASS
        auth_pass 11111111
    }
    track_script {
    
         chk_nginx
    }
    virtual_ipaddress {
    
        10.4.7.10
    }
}

keepalived 从:
[[email protected] conf.d]# vi /etc/keepalived/keepalived.conf 

! Configuration File for keepalived
global_defs {
    
    router_id 10.4.7.12
}
vrrp_script chk_nginx {
    
    script "/etc/keepalived/check_port.sh 7443"
    interval 2
    weight -20
}
vrrp_instance VI_1 {
    
    state BACKUP
    interface eth0
    virtual_router_id 251
    mcast_src_ip 10.4.7.12
    priority 90
    advert_int 1
    authentication {
    
        auth_type PASS
        auth_pass 11111111
    }
    track_script {
    
        chk_nginx
    }
    virtual_ipaddress {
    
        10.4.7.10
    }
}

启动代理并检查

systemctl start nginx keepalived
systemctl enable nginx keepalived
netstat -lntup|grep nginx
ip addr

3.4 部署controller-manager(hdss7-21、hdss7-22)

创建启动脚本

[[email protected] bin]# vi /opt/kubernetes/server/bin/kube-controller-manager.sh
#!/bin/sh
./kube-controller-manager \
  --cluster-cidr 172.7.0.0/16 \
  --leader-elect true \
  --log-dir /data/logs/kubernetes/kube-controller-manager \
  --master http://127.0.0.1:8080 \
  --service-account-private-key-file ./cert/ca-key.pem \
  --service-cluster-ip-range 192.168.0.0/16 \
  --root-ca-file ./cert/ca.pem \
  --v 2 

授权文件权限,创建目录

[[email protected] bin]# chmod +x /opt/kubernetes/server/bin/kube-controller-manager.sh 
[[email protected] bin]# mkdir -p /data/logs/kubernetes/kube-controller-manager

创建supervisor配置

[[email protected] bin]# vi /etc/supervisord.d/kube-conntroller-manager.ini
[program:kube-controller-manager-7-21]
command=/opt/kubernetes/server/bin/kube-controller-manager.sh                     ; the program (relative uses PATH, can take args)
numprocs=1                                                                        ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin                                              ; directory to cwd to before exec (def no cwd)
autostart=true                                                                    ; start at supervisord start (default: true)
autorestart=true                                                                  ; retstart at unexpected quit (default: true)
startsecs=30                                                                      ; number of secs prog must stay running (def. 1)
startretries=3                                                                    ; max # of serial start failures (default 3)
exitcodes=0,2                                                                     ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                                                   ; signal used to kill process (default TERM)
stopwaitsecs=10                                                                   ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                                         ; setuid to this UNIX account to run the program
redirect_stderr=true                                                              ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-controller-manager/controller.stdout.log  ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                                      ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                                          ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                                       ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                                                       ; emit events on stdout writes (default false)

启动服务并检查

[[email protected] bin]# supervisorctl update
[[email protected] bin]# supervisorctl status

不同的地方

/etc/supervisord.d/kube-conntroller-manager.ini
[program:kube-controller-manager-7-21]

3.5 部署kube-scheduler(hdss7-21、hdss7-22)

创建启动脚本

[[email protected] bin]# vi /opt/kubernetes/server/bin/kube-scheduler.sh
#!/bin/sh
./kube-scheduler \
  --leader-elect  \
  --log-dir /data/logs/kubernetes/kube-scheduler \
  --master http://127.0.0.1:8080 \
  --v 2

授权文件权限,创建目录

[[email protected] bin]# chmod +x  /opt/kubernetes/server/bin/kube-scheduler.sh
[[email protected] bin]# mkdir -p /data/logs/kubernetes/kube-scheduler

创建supervisor配置

[[email protected] bin]# vi /etc/supervisord.d/kube-scheduler.ini
[program:kube-scheduler-7-21]
command=/opt/kubernetes/server/bin/kube-scheduler.sh                     ; the program (relative uses PATH, can take args)
numprocs=1                                                               ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin                                     ; directory to cwd to before exec (def no cwd)
autostart=true                                                           ; start at supervisord start (default: true)
autorestart=true                                                         ; retstart at unexpected quit (default: true)
startsecs=30                                                             ; number of secs prog must stay running (def. 1)
startretries=3                                                           ; max # of serial start failures (default 3)
exitcodes=0,2                                                            ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                                          ; signal used to kill process (default TERM)
stopwaitsecs=10                                                          ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                                ; setuid to this UNIX account to run the program
redirect_stderr=true                                                     ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-scheduler/scheduler.stdout.log ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                             ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                                 ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                              ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                                              ; emit events on stdout writes (default false)

启动服务并检查

[[email protected] bin]# supervisorctl update
[[email protected] bin]# supervisorctl status
/etc/supervisord.d/kube-scheduler.ini
[program:kube-scheduler-7-21]

建立kubectl软链接

 ln -s /opt/kubernetes/server/bin/kubectl /usr/bin/kubectl

检查master节点

[roo[email protected] bin]# kubectl get cs

4 部署node节点(hdss7-21、hdss7-22)

4.1 部署kubelet

hdss7-200.host.com上签发kubelet证书
创建生成证书csr的json配置文件

[[email protected] certs]# vi kubelet-csr.json
{
    
    "CN": "k8s-kubelet",
    "hosts": [
    "127.0.0.1",
    "10.4.7.10",
    "10.4.7.21",
    "10.4.7.22",
    "10.4.7.23",
    "10.4.7.24",
    "10.4.7.25",
    "10.4.7.26",
    "10.4.7.27",
    "10.4.7.28"
    ],
    "key": {
    
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
    
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}

生成kubelet证书文件

[[email protected] certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server kubelet-csr.json | cfssl-json -bare kubelet

检查生成的证书文件

[[email protected] certs]# ll
kubelet.csr
kubelet-csr.json
kubelet-key.pem
kubelet.pem

拷贝证书文件至各节点(21、22都要拷贝),并创建配置

[[email protected] cert]# pwd
/opt/kubernetes/server/bin/cert

[[email protected] cert]# scp hdss7-200:/opt/certs/kubelet.pem .
[[email protected] cert]# scp hdss7-200:/opt/certs/kubelet-key.pem .

创建配置(只需要在一台节点上执行下面配置)

[[email protected] conf]# pwd
/opt/kubernetes/server/bin/conf
  • set-cluster
[[email protected] conf]# kubectl config set-cluster myk8s \
--certificate-authority=/opt/kubernetes/server/bin/cert/ca.pem \
--embed-certs=true \
--server=https://10.4.7.10:7443 \
--kubeconfig=kubelet.kubeconfig
  • set-credentials
[[email protected] conf]# kubectl config set-credentials k8s-node \
--client-certificate=/opt/kubernetes/server/bin/cert/client.pem \
--client-key=/opt/kubernetes/server/bin/cert/client-key.pem \
--embed-certs=true \
--kubeconfig=kubelet.kubeconfig
  • set-context
[[email protected] conf]# kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=k8s-node \
--kubeconfig=kubelet.kubeconfig
  • use-context
[[email protected] conf]# kubectl config use-context myk8s-context --kubeconfig=kubelet.kubeconfig
  • 查看生成的kubelet.kubeconfig
[[email protected] conf]# ll
kubelet.kubeconfig
  • k8s-node.yaml
[[email protected] conf]# vi k8s-node.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: k8s-node
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:node
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: k8s-node

  • 应用资源配置
[[email protected] conf]# kubectl create -f k8s-node.yaml
  • 查看集群角色和角色属性
[[email protected] conf]# kubectl get clusterrolebinding k8s-node
[[email protected] conf]# kubectl get clusterrolebinding k8s-node -o yaml

  • 拷贝kubelet.kubeconfig 到hdss7-22.host.com上,在22上执行
[[email protected] conf]# scp hdss7-21:/opt/kubernetes/server/bin/conf/kubelet.kubeconfig .

hdss7-200.host.com上下载pause镜像

[[email protected] ~]# docker pull kubernetes/pause

上传到docker私有仓库harbor中

[[email protected] ~]# docker images -a
[[email protected] ~]# docker tag f9d5de079539 harbor.od.com/public/pause:latest
[[email protected] ~]# docker images -a
[[email protected] ~]# docker push harbor.od.com/public/pause:latest

hdss7-21.host.com与hdss7-22.host.com上创建kubelet启动脚本

[[email protected] conf]# vi /opt/kubernetes/server/bin/kubelet.sh
#!/bin/sh
./kubelet \
  --anonymous-auth=false \
  --cgroup-driver systemd \
  --cluster-dns 192.168.0.2 \
  --cluster-domain cluster.local \
  --runtime-cgroups=/systemd/system.slice \
  --kubelet-cgroups=/systemd/system.slice \
  --fail-swap-on="false" \
  --client-ca-file ./cert/ca.pem \
  --tls-cert-file ./cert/kubelet.pem \
  --tls-private-key-file ./cert/kubelet-key.pem \
  --hostname-override hdss7-21.host.com \
  --image-gc-high-threshold 20 \
  --image-gc-low-threshold 10 \
  --kubeconfig ./conf/kubelet.kubeconfig \
  --log-dir /data/logs/kubernetes/kube-kubelet \
  --pod-infra-container-image harbor.od.com/public/pause:latest \
  --root-dir /data/kubelet

hdss7-21.host.com与hdss7-22.host.com上授权,创建目录

[[email protected] conf]# chmod +x /opt/kubernetes/server/bin/kubelet.sh 
[[email protected] conf]# mkdir -p /data/logs/kubernetes/kube-kubelet   /data/kubelet

hdss7-21.host.com与hdss7-22.host.com上创建supervisor配置

[[email protected] conf]#  vi /etc/supervisord.d/kube-kubelet.ini
[program:kube-kubelet-7-21]
command=/opt/kubernetes/server/bin/kubelet.sh     ; the program (relative uses PATH, can take args)
numprocs=1                                        ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin              ; directory to cwd to before exec (def no cwd)
autostart=true                                    ; start at supervisord start (default: true)
autorestart=true                                  ; retstart at unexpected quit (default: true)
startsecs=30                                      ; number of secs prog must stay running (def. 1)
startretries=3                                    ; max # of serial start failures (default 3)
exitcodes=0,2                                     ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                   ; signal used to kill process (default TERM)
stopwaitsecs=10                                   ; max num secs to wait b4 SIGKILL (default 10)
user=root                                         ; setuid to this UNIX account to run the program
redirect_stderr=true                              ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-kubelet/kubelet.stdout.log   ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                      ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                          ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                       ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                       ; emit events on stdout writes (default false)

启动服务并检查

[[email protected] conf]# supervisorctl  update
[[email protected] conf]# supervisorctl status

不同的地方

/opt/kubernetes/server/bin/kubelet.sh
--hostname-override
##########
/etc/supervisord.d/kube-kubelet.ini
[program:kube-kubelet-7-21]

检查所有节点并给节点打上标签

[[email protected] ~]# kubectl get nodes
[[email protected] ~]# kubectl label node hdss7-21.host.com node-role.kubernetes.io/master=
[[email protected] ~]# kubectl label node hdss7-21.host.com node-role.kubernetes.io/node=
[[email protected] ~]# kubectl get nodes
NAME                STATUS   ROLES         AGE     VERSION
hdss7-21.host.com   Ready    master,node   5m11s   v1.15.2
hdss7-22.host.com   Ready    <none>        5m10s   v1.15.2

4.2 部署kube-proxy(hdss7-21、hdss7-22)

hdss7-200.host.com上签发kube-proxy证书

  1. 创建生成证书csr的json配置文件
[[email protected] certs]# vi kube-proxy-csr.json
{
    
    "CN": "system:kube-proxy",
    "key": {
    
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
    
            "C": "CN",
            "ST": "beijing",
            "L": "beijing",
            "O": "od",
            "OU": "ops"
        }
    ]
}

  1. 生成kube-proxy证书文件
[[email protected] certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client kube-proxy-csr.json |cfssl-json -bare kube-proxy-client

  1. 检查生成的证书文件
[roo[email protected] certs]# ll
kube-proxy-client.csr
kube-proxy-client-key.pem
kube-proxy-client.pem
kube-proxy-csr.json

拷贝证书文件至各节点(hdss7-21、hdss7-22),并创建配置

[[email protected] cert]# scp hdss7-200:/opt/certs/kube-proxy-client.pem .
[[email protected] cert]# scp hdss7-200:/opt/certs/kube-proxy-client-key.pem .

创建配置 只需要在一台节点上执行

  • set-cluster
[[email protected] conf]# kubectl config set-cluster myk8s \
--certificate-authority=/opt/kubernetes/server/bin/cert/ca.pem \
--embed-certs=true \
--server=https://10.4.7.10:7443 \
--kubeconfig=kube-proxy.kubeconfig

  • set-credentials
[[email protected] conf]#  kubectl config set-credentials kube-proxy \
  --client-certificate=/opt/kubernetes/server/bin/cert/kube-proxy-client.pem \
  --client-key=/opt/kubernetes/server/bin/cert/kube-proxy-client-key.pem \
  --embed-certs=true \
  --kubeconfig=kube-proxy.kubeconfig

  • set-context
[[email protected] conf]# kubectl config set-context myk8s-context \
--cluster=myk8s \
--user=kube-proxy \
--kubeconfig=kube-proxy.kubeconfig
  • use-context
[[email protected] conf]# kubectl config use-context myk8s-context --kubeconfig=kube-proxy.kubeconfig

  • 拷贝kube-proxy.kubeconfig 到 hdss7-22.host.com的conf目录下
[[email protected] conf]# scp hdss7-21:/opt/kubernetes/server/bin/conf/kube-proxy.kubeconfig .

创建kube-proxy启动脚本(hdss7-21,hdss7-22)

加载ipvs模块

[[email protected] bin]# lsmod |grep ip_vs
[[email protected] bin]# vi /root/ipvs.sh
#!/bin/bash
ipvs_mods_dir="/usr/lib/modules/$(uname -r)/kernel/net/netfilter/ipvs"
for i in $(ls $ipvs_mods_dir|grep -o "^[^.]*")
do
  /sbin/modinfo -F filename $i &>/dev/null
  if [ $? -eq 0 ];then
    /sbin/modprobe $i
  fi
done    
[[email protected] bin]# chmod +x /root/ipvs.sh 
[[email protected] bin]# sh /root/ipvs.sh 
[[email protected] bin]# lsmod |grep ip_vs

创建启动脚本

[[email protected] bin]# vi /opt/kubernetes/server/bin/kube-proxy.sh
#!/bin/sh
./kube-proxy \
  --cluster-cidr 172.7.0.0/16 \
  --hostname-override hdss7-21.host.com \
  --proxy-mode=ipvs \
  --ipvs-scheduler=nq \
  --kubeconfig ./conf/kube-proxy.kubeconfig

授权,创建目录

[[email protected] bin]# ls -l /opt/kubernetes/server/bin/conf/|grep kube-proxy
[[email protected] bin]# chmod +x /opt/kubernetes/server/bin/kube-proxy.sh 
[[email protected] bin]# mkdir -p /data/logs/kubernetes/kube-proxy

创建supervisor配置

[[email protected] bin]# vi /etc/supervisord.d/kube-proxy.ini
[program:kube-proxy-7-21]
command=/opt/kubernetes/server/bin/kube-proxy.sh                     ; the program (relative uses PATH, can take args)
numprocs=1                                                           ; number of processes copies to start (def 1)
directory=/opt/kubernetes/server/bin                                 ; directory to cwd to before exec (def no cwd)
autostart=true                                                       ; start at supervisord start (default: true)
autorestart=true                                                     ; retstart at unexpected quit (default: true)
startsecs=30                                                         ; number of secs prog must stay running (def. 1)
startretries=3                                                       ; max # of serial start failures (default 3)
exitcodes=0,2                                                        ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                                      ; signal used to kill process (default TERM)
stopwaitsecs=10                                                      ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                            ; setuid to this UNIX account to run the program
redirect_stderr=true                                                 ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/kubernetes/kube-proxy/proxy.stdout.log     ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                         ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                             ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                          ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                                          ; emit events on stdout writes (default false)

启动服务并检查

[[email protected] bin]# supervisorctl update
[[email protected] bin]# supervisorctl status
[[email protected] bin]# yum install ipvsadm -y
[[email protected] bin]# ipvsadm -Ln
[[email protected] bin]# kubectl get svc

5 验证kubernetes集群

在任意一个节点上创建一个资源配置清单

[[email protected] ~]# vi /root/nginx-ds.yaml
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: nginx-ds
spec:
  template:
    metadata:
      labels:
        app: nginx-ds
    spec:
      containers:
      - name: my-nginx
        image: harbor.od.com/public/nginx:v1.7.9
        ports:
        - containerPort: 80

应用资源配置,并检查

[[email protected] bin]# kubectl create -f /root/nginx-ds.yaml
[[email protected] bin]# kubectl get pods
[[email protected] bin]# kubectl get pods -o wide
[[email protected] bin]# curl 172.7.21.2

hdss7-22.host.com上

[[email protected] bin]# kubectl get pods
[[email protected] bin]# kubectl get pods -o wide
[[email protected] bin]# curl 172.7.22.2

查看kubernetes是否搭建好

[[email protected] bin]# kubectl get cs
[[email protected] bin]# kubectl get node
[[email protected] bin]# kubectl get pods
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/apple_56973763/article/details/122263760

智能推荐

用Python做的小游戏合集——飞机大战_车厘子@的博客-程序员ITS301_python战斗小游戏

导语:????????用Python做的小游戏合集又来了~~这期就是简单好玩又经典的飞机大战啦~???? 游戏介绍: 飞机大战小游戏源码,使用的是python语言, 该项目实现了飞机大战游戏的基本功能,玩家可以通过w、a、s、d键控制飞机移动,通过k键发射子弹。同时该项目实现了游戏时的暂停和继续功能以及排行榜功能,记录历史最好游戏成绩。敌方飞机有三种类型,大小、攻击力、移动速度各不相同,当然击杀获得的奖励也有差异 ????游戏预览:PYTHON飞机大

Python消除警告的实用解决方案_herosunly的博客-程序员ITS301_python 取消警告

本文主要介绍了Python消除警告的实用解决方案,希望对新手有所帮助。文章目录1. 问题描述2. 解决方案 2.1 尝试方案一 2.2 尝试方案二 2.3 最终解决方案1. 问题描述  最近在使用文本处理模块textacy中的textacy.extract.pos_regex_matches函数,由于对大量文本均用到了该函数,所以出现了海量的警告信息。

计算机word教案设计,计算机word教学设计.doc_磨磨蹭蹭磨磨唧唧的博客-程序员ITS301

计算机word教学设计计算机word教案目录一 基本操作二 文档格式三 基本对象及图文混排四 表格五 页面设置和文档打印六 协同工作与信息共享一 基本操作WORD2003软件简介:1.电子文档——由计算机处理并保存的信息集合。文件格式.doc word源文件2.特点:文字编辑:打字格式排版:文字样式、大小、图形形状颜色版式等。表格制作:例:课程表图文混排:WORD2003启动与退出1...

【刷题】动态规划——树形DP:树的中心_seth25的博客-程序员ITS301

在任意一个点p,最远距离可能存在两种走法:向下走和向上走。对于p向下走的最大值(①蓝色),遍历一遍dfs,在递归过程中返回p的子树最远距离即可,参考树的直径。对于p向上走(②黄③绿④红),首先要加上p到父节点q的边,此时在q上仍有两种走法:向上走(②黄)和向下走(③绿④红)。q向下走又可分为两种:不经过p(③绿)和经过p(④红),显然p -&gt; q -&gt; p -&gt; ...的走法(④红)是不合法的,因此只能算不经过p(③绿)的,因此第一遍dfs要记录最大值和次大值和其对应的儿子,当最.

小波包分解与重构_Alex龙雅的博客-程序员ITS301_小波包重构

1、小波变换的理解傅里叶变换——短时傅里叶变换——小波变换。参考文献:以下两篇参考资料讲述得十分清楚,有助于理解小波变换。但具体的数学角度阐述,请参考其他资料。(1)知乎专栏:形象易懂讲解算法I——小波变换https://zhuanlan.zhihu.com/p/22450818(2)知乎专栏:傅里叶分析之掐死教程。https://zhuanlan.zhihu.com/p/197633582、小波包分解小波包是为了克服小波分解在高频段的频率分辨率较差,而在低频段的时间分辨

闭环系统的零极点图判定稳定性_《自动控制原理》课后习题答案.doc_蛋挞小可爱的博客-程序员ITS301

第五章 线性系统的频域分析与校正习题与解答5-1 试求题5-75图(a)、(b)网络的频率特性。(a) (b)图5-75 R-C网络解 (a)依图:(b)依图:5-2 某系统结构图如题5-76图所示,试根据频率特性的物理意义,求下列输入信号作用时,系统的稳态输出和稳态误差(1)(2)解 系统闭环传递函数为: ...

随便推点

通俗编程——白话NIO之Channel_江湖人称小白哥的博客-程序员ITS301

Channel简介在标准的IO当中,都是基于字节流/字符流进行操作的,而在NIO中则是是基于Channel和Buffer进行操作,其中的Channel的虽然模拟了流的概念,实则大不相同。

Oracle-DataGuard FarSync 实例配置测试_牛牛的笔记的博客-程序员ITS301

DataGuard FarSync实例是Oracle12.1之后推出的DataGuard同步新特性,通过在主库距离较近的环境部署FarSync 实例(实例只需要参数文件以及控制文件,没有数据文件),作为主备之间的日志传输中转站,避免由于网络延迟问题带来的主备传输延时影响主库,特别是在最大可用以及最大性能模式下,网络延迟可能导致主库事务提交出现等待或者挂死的情况。...

他是世界公认的“互联网之父”,放弃了成为世界首富的机会,却成就了我们现在的世界..._机器学习算法与Python学习-公众号的博客-程序员ITS301

凡是上网的人,谁不知道万维网的重要作用?要输入网址,首先得打出“WWW”这三个字母来。今天,当你我依靠着万维网提供的便利,坐在个人电脑前自由翱翔于网络世界的时候,你是否会...

算法设计技巧: 局部搜索(Local Search)_胡拉哥的博客-程序员ITS301_local search

局部搜索的基本步骤如下:构造初始解sss;定义sss的邻域δ(s)\delta(s)δ(s);在邻域δ(s)\delta(s)δ(s)中搜索新的解s′s's′;令s:=s′s:=s's:=s′, 重复上述步骤直到满足停止条件.在实际中局部搜索可以作为其它算法的补充, 目的是进一步提升解的质量. 下面我们以经典的旅行商问题(Traveling Salesman Problem)为例来介..._1671465600

PHP中怎样避免SQL注入漏洞和XSS跨站脚本攻击漏洞_虎蔚智客工作室的博客-程序员ITS301_php 存在系统遭受sql注入、跨站脚本等漏洞

漏洞危害: 黑客利用精心组织的SQL语句,通过Web表单注入的Web应用中,从而获取后台DB的访问与存取权限。获取相应的权限之后,可以对网页和数据库进行进一步的篡改、挂马和跳板攻击行为。防止SQL注入代码:主要是利用magic_quotes_gpc指令或它的搭挡addslashes()函数;如果要自己拼SQL语句,一定要自己再过滤一下【addslashes】,也不是直接就能过滤,还要考...