在Linux服务器，一键搭建1.21.0最新版K8s服务【脚本篇】

老脸往哪儿哥 發表於 2021-5-27 19:29:00

在Linux服务器，一键搭建1.21.0最新版K8s服务【脚本篇】

<h3>前言</h3>
好久没有写博客了，本文主要是对网上文章的总结篇，主要是将安装和运行代码做了一次真机实验，亲测可用。文章内包含的脚本和代码，多来自于网络，也有我自己的调整和配置，文章末尾对参考的文献做了列举，方便大家参考。
过程很简单，一路next往下看和操作即可，文章不对脚本和代码做原理解释，某些注意点加了红色标注，部分脚本有注释，可以自行参考，以后有机会可以视频讲解。
<h3>核心步骤</h3>
因为是next的方式，所以本章节主要是操作步骤，步骤中涉及到的代码或者脚本，可以在下文中找到，比如：附录代码一、附录代码二等等，因为脚本实在太长，不太方便放到步骤里。
<h4>1、配置 node01 主节点（2个文件，1个结果）；</h4>
在root目录下拷贝k8s脚本（附录代码一：kubernetes_node01.sh）和flannel网络（附录代码二：kube-flannel.yml）的文件；
然后给脚本文件赋权限：chmod +x kubernetes_node01.sh
最后执行脚本：./kubernetes_node01.sh
<blockquote>
ps：1、sh脚本中，需要配置节点，是内网的。
2、多个节点之间要保证能ping通；
3、中间可能需要自己来配合做些操作，比如输入：y，来做确认等等。
最后，可以在当前文件夹下，看到一个key.txt的文件，里边有安装的结果数据或者密钥等，可查看附录代码三：key.txt，这是我安装的结果，里边有join主节点的配置语句。
</blockquote>
查看所有的nodes和pods：
<div class="cnblogs_code">
<pre># kubectl get nodes
NAME STATUS ROLES 　　　　　　　　AGE VERSION
node01 Ready control-plane,master 26h v1.21.0</pre>
</div>
 
所有的pods：
<div class="cnblogs_code">
<pre># kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-7ff77c879f-6m6fl 1/1 Running 0 25m
kube-system coredns-7ff77c879f-dkd56 1/1 Running 0 25m
kube-system etcd-node01 1/1 Running 0 26m
kube-system kube-apiserver-node01 1/1 Running 0 26m
kube-system kube-controller-manager-node01 1/1 Running 0 26m
kube-system kube-flannel-ds-amd64-sdv2h 1/1 Running 0 25m
kube-system kube-proxy-vgf4r 1/1 Running 0 25m
kube-system kube-scheduler-node01 1/1 Running 0 26m</pre>
</div>
 
如果都启动，都READY了，表示安装成功。
 
<h4>2、配置dashboard仪表盘（2个文件）</h4>
上面安装好了kubectl、kubeadm、kubelet后，我们可以通过客户端来连接，这里安利下k8s的客户端：Lens，很香。
如果要使用客户端连接，就需要获取集群的上下文配置信息，可以执行以下命令：
kubectl config view --minify --raw
输出的结果类似于：
<div class="cnblogs_code">
<pre># kubectl config view --minify --raw
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTa3Foa2XcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeE1EVXlOakE0TVRjMU9Wb1hEVE14TURVeU5EQTRNVGMxT1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTDlsCjRTSktsSnI1ZGdENUJZWlNvcWd3UWlsNDM4K2h2RkdCK0JwT2dXU3JJOUdTcjZRRzVEMllYSnU4bHE5a1IxMXEKME9ZcFpmSGJoOXJlZkZETThmNGh3TjFpSlRtN0pxVEc2UlFMc1BIZWdjdE1vQ2VyWkhzYURJNHpuOUxOdTEzcgpIbFhwSHFuRjY1bnpnL0pQcjVHclVPTGpqTis0aXdyaXE0cmFiZGg5aWR1aDlRaWFzTDNmaEhXeUYvNVJIbTdMCitvdFpkM2pJU2dJZDJxSkg1R2gwK3pzbSt0MHE2WHpPbjljWkpaWnUxWEhkRTVUMUI2aXdzS1B1cG9rYVB2VHQKTW9NeWc2SkM5SVVyalp6SVZEQWg5TU1Ua0NLckJIalBWeXY0L2xkdWxiOUpMZS95TTJidVhVWTVsV0VESm1hMQpjS0xlTEVrckYvelIrS1R4c3lzQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDR2NQdk5GZ2VHUjNVbkZsV1M1Y3JZNVRtQUIKQ2dPdVBmVU5ZMFRLNDU1QytGVzVHaTBkeG1JL3NVM2cwVXVoN3c0dWlTQStZQksvUmh0TE1EZnNmMFhRc3FQTwpIeEduWWYvM0xDR3dpVFBrSnFzS2ZodUJlS0RVZ1lsejhOcWJlMDdaMkJlTTVNbFdsN2VmTVNoOEpqRXBzUjBHCnArYmdzdVViQ0hzQ1BSS0ErcW13dFU0UkUvTlMvYzh6Q2xPN3JpNkkzSE1qdTJQOWRTSit1aDY2OFNhSVN0MDkKMG1XWGdoaHlqdmRicnJBTnBucEh0TWNwSGRYM2lRS2g1RVczVjk3VjVpbEt6Yjl3TmJ1QTAwTzVUcEd1eGQ5RApnYUdTajBoMVBOSE9yaFVQRnZQa1ZoS1VaWjZ2cnNWTUsxR3N1akNObWZlZEhWVDlOR0kzNy9aYVMzWT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://172.17.10.4:6443 #注意这里以后是kubectl proxy的地址，应该是你的ip地址：8001
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1J4akNDQWRxZ0F3SUJBZ0lJU3FXNFdBdVVE13RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TVRBMU1qWXdPREUzTlRsYUZ3MHlNakExTWpZd09ERTRNREphTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTNtTGRIM3ZQTnZxN2pjbzYKL1lOU0RkMlJ0YVlWWGIwazdlRXpDVlFWL2dFc2M4bEpiRHZveTcxQUJpa09IMjF5dU4rN00yNmNxTW5KSUgvNQpOcUtKeFRNMVliZHJGTzh2RVJDNE5hMWpRSUppdnJBbVBLeUdzbEpTL2h0dXVlQzZOazRlWmdLNDhCOVJSazNtCmxHclBYZnFvaHo5ckkwQzFvaHA4YnErVGNxYkRvNTNjc1ZMU1puNFFGWHRXMjZJbHg1V3Rhc0JGZVMyWVgvamEKQklld1FWaTMxbmthblFuWVMyekg4aVhiWktXZkc4eDkyR3hrSDhRYWV1ZmlxR2VCYlRuc3UxUlh4TnByVEZqcQpaeW9rUm5yWFEzSU5Fd2dRRzNzUndQaWZxcWtxQTZ1NlQxS21hbzFRelF6bW5XNTdCUG5Jd1EvVjFURU1iS2tJCkdvU0dSUUlEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHbTBCSVhKMVBnTDh4bDVRZ2UvNjlaemd6N1d2TythZ2JZUgowdVB2blhSTU1kNGk1akV1NlQzWDh3Zm4zVGowR004VDlsZERLa2ZKUGFIcnRuRVFIOFFkeHBaek9HeXNjSEpLCmRYN3Uyb2d1dTMxUy9ZblltR21vMk5VS1M3T2hiTWE3WEw1bVpTTGV4RWp0eWNBdkpDa2Evdndqa0hFTFJUMzYKZ3hGWnhBQWRqWFVOd011TWdiV25IT0dOK3dIcUxDSjZKa3NkYU9yZTJTRHRCUWZXRTZ5RjJEVnk4akZvUDVlWQpFcDZuVzVia1NsY3NIR2NhamJPcXNNbSs2bEk5L3RidDZyMno4U3VHR1BVenNzbUFqMHJIbDFvTHhVYjFkWjhCCjF2ZTBYVWZPNmhsSDhWaWxqYVFISHBnQU5NV05KN3kvR0VVYmMzSWZCVGZ6b05UWHJCRT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVS0tLQpNSUlFcEFJQkFBS0NBUUVBM21MZEgzdlBOdnE3avNi9ZTlNEZDJSdGFZVlhiMGs3ZUV6Q1ZRVi9nRXNjOGxKCmJEdm95NzFBQmlrT0gyMXl1Tis3TTI2Y3FNbkpJSC81TnFLSnhUTTFZYmRyRk84dkVSQzROYTFqUUlKaXZyQW0KUEt5R3NsSlMvaHR1dWVDNk5rNGVaZ0s0OEI5UlJrM21sR3JQWGZxb2h6OXJJMEMxb2hwOGJxK1RjcWJEbzUzYwpzVkxTWm40UUZYdFcyNklseDVXdGFzQkZlUzJZWC9qYUJJZXdRVmkzMW5rYW5RbllTMnpIOGlYYlpLV2ZHOHg5CjJHeGtIOFFhZXVmaXFHZUJiVG5zdTFSWHhOcHJURmpxWnlva1JuclhRM0lORXdnUUczc1J3UGlmcXFrcUE2dTYKVDFLbWFvMVF6UXptblc1N0JQbkl3US9WMVRFTWJLa0lHb1NHUlFJREFRQUJBb0lCQUVnN3BvVSthc3o1M2dldApJMElLOEpFT1lmQzFsSVVSRmJpcWlEQkVmcXcxWjJIb2hJL0NXZGdyaldzeTFLS0NvMXZIVi8vWnNzcmtXQTdWClluWkxqeUpkZ3I1Tm5GdDlZVFZTei9LbmNmQ1hLVW0wMzRhZnAxU3Voc1NBMXBOTG1sQmZTV0pyQ2ZUOHh5SmwKMVRwcUF4Y01mc2NIWTE1YysySSs1aUh4cDV2NlVjNEtQZ0R6bGZCbkVTZ3dhNlVOVURZRkVmN2RNMXdONlhtZgpPMllNcDIvWHVacWFwU3RRRHRLWXVvT2xsWStsRXpQeUpQQSsvS0tnN3M5VGpzSllUZTJyN1Y0S2psVUpLQ0tqCjhsNnVoUWhNNkRuWnYvVVZScEtZM3RlSlJkRDgxZ2RBQ1FPTUh0aktrb0drbEtDeS96Z29oak9FZlVFTWJqNloKY2dRT0VFRUNnWUVBOU1KSytZUTg3YURqSTMrOWVSd0VxSmQ2WjFXbnZTUHZld21iOXpUSVdkYjUrU1RGSi8vZwpPS1lFdHNjN1hRc05wV3hsdjhncnc4azhKRzFxcG1EVHFaa1Vna3NGaXNaMGxGYVk1TUlKOUh3K00wMzJmN0N0CkxaQ2oxSTdqNWpsNWt5dy9qYVB3amJtWG1zY280NUNxZFl4YUhoMjJPbE1pdVVkNTU2SVJhdFVDZ1lFQTZKbUcKKytsWTZxRDJKY2N2cGJhUFhnQUwrZklpTDlSblQwbVZKTmZ5MXU3RGdhSXl3UHVOaVBUOUhoRXc0VU1WeTE5UQpzeS9yQ2JFQ1A5MnJQeEloOXVlTHlCazNNR0hyaTBVZkdiV0V4czNiZ3QydTUvZUpSaGlaYm5sSlJqZDlIeFdZCnljaWhER2JRVVhoVWhtaGxzSUU1dDRGcWdjUUN6L0NmSklxVmhiRUNnWUVBcnVxN2toNURQTCtpRkJpU1hCNzkKNVU1OEY2VkxQd3lUZFNhazQ4SkEvSk42Q2VlUlRzaTZnVUdFVk91RkxUVmRCeiswWjU2eVNEVmtXZFFvUjhjaQovUzE5VHJBMndicWFUZmlsUTdhNFRwVU1EclpFMTNSNER2d3pXUkRWSmc4bEoxeVQvckdPbEhweU1oYnF6ZGJ4Ck94aVd2cmNWS0JHSjIwZU5nMUI3aWhFQ2dZRUFuUUcxT2lwRFdPMlorZHBBY1cyUHpQWGZIN0t3SFBVVlgxSGUKR09ha0J5MVlUeEw3aTRUQi95YlFEUkd4bXZ5N28zSU5lVWJwTXJ1SE56RWNQUkN5V0lYbnR3UStXcXhlWUw0aAp4aXJmRzRzdGwyS29nL0IxZXhsenlEeWFsNGt4TG1CWHFDMkRlR21XU01nZTFqTjJJUFM1endMT3NCVnRpSXQyCkFTYUMwNkVDZ1lCeGNBaFRkVG9pWGhkWnNmWCtaMC9mMXJ5ait3WWp2VnlUU0Z2Q0JZVDFnYllVM0VZOHFCTEkKMWZLaCtJeDhuS0U3bzJGMEFzMTVJN1ZNeks0OFF5NnhjbkExa0RPUGFxOXYydTBlUzJyemJhSWhudmZLTFpBZgpxa3NtaHl0bWVCMUxPRGZQZjdFRVgvNWNCOWlkZ0QwVGlzNHMxL1NCWkhaRWJuMVhCd0J1WEE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=</pre>
</div>
 
如果不用客户端，那就需要安装仪表盘了。
1、Linux根目录拷贝文件，附录代码四：recommended.yaml（安装看板），附录代码五：dashboard-svc-account.yaml（配置管理员账户）
2、执行命令：
<div class="cnblogs_code">
<pre>sed -i '/targetPort: 8443/a\ \ \ \ \ \ nodePort: 30001\n\ \ type: NodePort' recommended.yaml</pre>
</div>
3、启动仪表盘服务：
<div class="cnblogs_code">
<pre>kubectl apply -f recommended.yaml</pre>
</div>
4、启动配置账户：
<div class="cnblogs_code">
<pre>kubectl apply -f dashboard-svc-account.yaml</pre>
</div>
 
都成功后，会生成一个token字符串，用来登录web端的令牌的，如果没有拷贝或者丢失了也不怕，可以使用命令查看：
<div class="cnblogs_code">
<pre>kubectl describe secrets -n kube-system `kubectl get secret -n kube-system | grep admin | awk '{print $1}'` | grep '^token'|awk '{print $2}'</pre>
</div>
 
token就是类似这种：
<div class="cnblogs_code">
<pre>eyJhbGciOiJSUzI1NiIsImtpZCI6Ikl5SE00cXFZR1V2cWstQURVcGlUOGk4cTBYekZMV0VmNDEwRy14UTd1d2sifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkYXNoYm9hcmQtYWRtaW4tdG9rZW4tY3JnejYiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGFzaGJvYXJkLWFkbWliwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMjYwMGQ0ZjctM2ZhOS00ODIwLWFmMmUtZTJlZDMxYWMyYWFhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmRhc2hib2FyZC1hZG1pbiJ9.BBtdG-S2kHEwRbWIAf6DiUgC3ILUOStPATyWfvxcQs5VJBtLRyMGqQ-AfkUoVLuhZdUv-CGoEJ1OYA00M6MwoehDdkhLFbXF7Xx1IPyhFTHxZ_oXHBPyjEREkTEerarZnvgt0ufU4g_Eqn91jdHet73itz-0abgmLMPkRl5YYjlh36Ivwq9IjKgujLwTNisUFckLuHOscHtQIrjIvAZlWTRh_awMsDHvemAKG_YIjMbyQnXi6VfN3rTW869DA0XAGOF2t7cWBtMmHvmLxVYqpOauUzwXXeYbO9eP0_d9JtVwKv6R0Q7sexRFZ-iTdZBOJDujFI3UT2jsqgVdbagA</pre>
</div>
 
这里再检查下：
查看所有的nodes和pods：
<div class="cnblogs_code">
<pre># kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-7ff77c879f-6m6fl 1/1 Running 0 25m
kube-system coredns-7ff77c879f-dkd56 1/1 Running 0 25m
kube-system etcd-node01 1/1 Running 0 26m
kube-system kube-apiserver-node01 1/1 Running 0 26m
kube-system kube-controller-manager-node01 1/1 Running 0 26m
kube-system kube-flannel-ds-amd64-sdv2h 1/1 Running 0 25m
kube-system kube-proxy-vgf4r 1/1 Running 0 25m
kube-system kube-scheduler-node01 1/1 Running 0 26m
kubernetes-dashboard dashboard-metrics-scraper-78f5d9f487-ldswx 1/1 Running 0 12m
kubernetes-dashboard kubernetes-dashboard-577bd97bc-szvwt 1/1 Running 0 12m</pre>
</div>
 
多了kubernetes-dashboard命名空间下的两个pod。
 
 
<h4>3、配置 node02 子节点（1个文件）</h4>
如果你没有多余的服务器，也可以在master节点做自己的pod的，需要开启下，命令将 master 标记为可调度：
<div class="cnblogs_code">
<pre>sudo kubectl taint nodes --all node-role.kubernetes.io/masteflr-</pre>
</div>
 
如果要配置多个子节点，那就仿照主节点来继续写sh脚本吧（附录代码六：kubernetes_node02.sh），步骤和主节点一致：
1、拷贝到子节点服务器；
2、赋权限，执行文件：./kubernetes_node02.sh
3、这里不用flannel配置；
4、安装完成后，可以join到主节点，配置文件在主节点的key.txt文件里，如果你安装成功了的话；
<div class="cnblogs_code">
<pre>kubeadm join 172.17.10.4:6443 --token q3uu1o.4rdfkcyzxjhawvk1 \
--discovery-token-ca-cert-hash sha256:a755d8f56733ba8f9d1951298b200202fce7b84389954bf7a38558fa6ce2a9c9 </pre>
</div>
 
如果一切正常，可以去主节点查看所有的nodes：
<div class="cnblogs_code">
<pre>NAME STATUS ROLES 　　　　　　　　AGE VERSION
node01 Ready control-plane,master 26h v1.21.0
node02 Ready <none> 　　　　　　　　25h v1.21.0</pre>
</div>
表示我们的子节点已经配置完成。
 
 
<h4>4、配置ASP.Net Core服务</h4>
这里的Deployment+Service的写法比较简单，直接贴出来，就不做过多的解释了。
<div class="cnblogs_code">
<pre>apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: laozhang-op2
name: laozhang-op2
spec:
selector:
matchLabels:
 app: laozhang-op2
replicas: 2
template:
metadata:
 labels:
 app: laozhang-op2
spec:
 containers:
 - name: laozhang-op2
 image: laozhangisphi/apkimg315
 imagePullPolicy: IfNotPresent #pull镜像时机，

---
apiVersion: v1
kind: Service
metadata:
name: laozhang-nodeport-op2
spec:
type: NodePort
ports:
- name: default
protocol: TCP
port: 8081
targetPort: 8081
nodePort: 30099
selector:
app: laozhang-op2 </pre>
<pre><code>---
apiVersion: v1
kind: Service
metadata:
name: laozhang-cluster-svc
spec:
selector:
app: laozhang-op2
ports:
- protocol: TCP
port: 8081
targetPort: 8081 --- </code></pre>
apiVersion: extensions/v1beta1 kind: Ingress metadata:   name: test-ingress   annotations:     nginx.ingress.kubernetes.io/rewrite-target: / spec:   rules:     - host: abctest.neters.club       http:         paths:           - path: /             pathType: ImplementationSpecific             backend:               serviceName: tomcat-svc               servicePort: 8081
<pre><code> </code></pre>
</div>
 
关于简历service有两种方式，上边的这种是nodePort的方式——laozhang-nodeport-op2，直接暴漏端口到公网，
不过平时使用更多的是Ingress的方式，对应的service也都是使用集群的方式，也就是下边那种——laozhang-cluster-svc，官方默认的就是集群的方式，
那使用ingress，就先需要配置ingress的服务。
 
<h4>5、配置Ingress-nginx（1个文件）</h4>
在根目录拷贝文件，附录代码七：mandatory.yaml，配置Ingress-Nginx服务，
这里需要注意下，如果服务器之前已经配置过nginx，需要在mandatory.yaml文件中，修改http-port输出端口，详细内容见下面的代码，有注释。
直接执行yaml：
<div class="cnblogs_code">
<pre>kubectl apply -f mandatory.yaml</pre>
</div>
 
如果没有报错，可以查看所有的pods：
<div class="cnblogs_code">
<pre># kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
default laozhang-op2-5cf487b57f-pdvfg 1/1 Running 0 4h29m
default laozhang-op2-5cf487b57f-vtgwc 1/1 Running 0 4h29m
ingress-nginx nginx-ingress-controller-557475687f-rfl98 1/1 Running 0 122m
kube-system coredns-7ff77c879f-gj4sl 1/1 Running 0 26h
kube-system coredns-7ff77c879f-mqp2q 1/1 Running 0 26h
kube-system etcd-node01 1/1 Running 0 26h
kube-system kube-apiserver-node01 1/1 Running 0 26h
kube-system kube-controller-manager-node01 1/1 Running 0 26h
kube-system kube-flannel-ds-amd64-nmnj2 1/1 Running 0 26h
kube-system kube-proxy-wcjb8 1/1 Running 0 26h
kube-system kube-scheduler-node01 1/1 Running 2 26h
kubernetes-dashboard dashboard-metrics-scraper-78f5d9f487-qp2fw 1/1 Running 0 26h
kubernetes-dashboard kubernetes-dashboard-577bd97bc-2tsj7 1/1 Running 0 26h</pre>
</div>
 
如果和上面一样，那恭喜，一切配置就完成了。
 
 
<h3>附录代码一：kubernetes_node01.sh</h3>
<div class="cnblogs_code">
<pre>#!/bin/bash
##############
##主节点##
##############

#### 第一部分，环境初始化 ####
#k8s版本
version=v1.21.0
kubelet=kubelet-1.21.0-0.x86_64
kubeadm=kubeadm-1.21.0-0.x86_64
kubectl=kubectl-1.21.0-0.x86_64
#集群加入方式
key=/root/key.txt
#部署flannel网络
flannel=/root/kube-flannel.yml
#安装必要依赖
yum -y install vim wget git cmake make gcc gcc-c++ net-tools lrzsz

#### 第二部分，节点配置 ####
#第一步：主机解析，免密登录
#内网ip，配置多节点，也可以不配置，后期通过join的方式
node01=172.21.10.4
#node02=192.168.10.7
#node03=192.168.1.30
hostnamectl set-hostname node01
echo'172.21.10.4 node01
#192.168.10.7 node02
#192.168.1.30 node03' >> /etc/hosts
ssh-keygen
ssh-copy-id-i $node01
#ssh-copy-id-i $node02
#ssh-copy-id-i $node03
#scp /etc/hosts node02:/etc/hosts
#scp /etc/hosts node03:/etc/hosts #第二步：时间同步 systemctl start chronyd systemctl enable chronyd
#第三步：关闭防火墙和急用iptables
systemctl stop firewalld
systemctl disable firewalld #systemctl stop iptables #systemctl disable iptables
#第四步：禁用swap分区
swapoff -a
sed -i 's/.*swap.*/#&/' /etc/fstab
#第五步：关闭沙盒，禁用selinux
setenforce0
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config
#第六步：打开ipv6
modprobe br_netfilter
modprobeip_vs_rr #第七步：修改Linux的内核参数
cat <<EOF >/etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness = 0
EOF
sysctl -p /etc/sysctl.d/k8s.conf
ls /proc/sys/net/bridge

#### 第三部分，参数/源处理 ####
#安装epel源
yum install -y epel-release
yum install -y yum-utils device-mapper-persistent-data lvm2 net-tools conntrack-tools wget vimntpdate libseccomp libtool-ltdl
#时区校准
systemctl enable ntpdate.service
echo '*/30 * * * * /usr/sbin/ntpdate time7.aliyun.com >/dev/null 2>&1' > /tmp/crontab2.tmp
crontab /tmp/crontab2.tmp
systemctl start ntpdate.service
#添加参数
echo "* soft nofile 65536" >> /etc/security/limits.conf
echo "* hard nofile 65536" >> /etc/security/limits.conf
echo "* soft nproc 65536">> /etc/security/limits.conf
echo "* hard nproc 65536">> /etc/security/limits.conf
echo "* softmemlockunlimited">> /etc/security/limits.conf
echo "* hard memlockunlimited">> /etc/security/limits.conf
#添加kubernetes的epel源
echo '
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg' > /etc/yum.repos.d/kubernetes.repo
#下载
sudo yum-config-manager \
--add-repo \
https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
yum makecache fast

#### 第四部分，开始安装 ####
yum -y install docker-ce
yum install --enablerepo="kubernetes" $kubelet $kubeadm$kubectl
systemctl enable kubelet.service && systemctl start kubelet.service
systemctl start docker.service &&systemctl enable docker.service
#安装tab快捷键
yum -yinstall bash-completion && source /usr/share/bash-completion/bash_completion && source <(kubectl completion bash) && echo "source <(kubectl completion bash)" >> ~/.bashrc
#创建集群
kubeadm init --apiserver-advertise-address $node01 --kubernetes-version $version --pod-network-cidr=10.244.0.0/16 >> $key2>&1
export KUBECONFIG=/etc/kubernetes/admin.conf #kubectl 配置文件
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
docker pull quay.io/coreos/flannel:v0.12.0-amd64 #安装flannel网络，节点之前通讯
kubectl apply -f $flannel
echo'请手动查看$key文件的密钥将其他节点接入集群'</pre>
</div>
 
PS：如果v1.18版本，可以指定
<pre>--image-repository registry.aliyuncs.com/google_containers </pre>
如果报错的话，就去掉这个参数吧。
错误内容比如：
<blockquote>
: failed to pull image registry.aliyuncs.com/google_containers/coredns/coredns:v1.8.0: output: Error response from daemon: pull access denied for registry.aliyuncs.com/google_containers/coredns/coredns, repository does not exist or may require ‘docker login’: denied: requested access to the resource is denied
</blockquote>
 
 
<h3>附录代码二：kube-flannel.yml</h3>
<div class="cnblogs_code">
<pre>##############
##flannel网络##
##############
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: psp.flannel.unprivileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
spec:
privileged: false
volumes:
- configMap
- secret
- emptyDir
- hostPath
allowedHostPaths:
- pathPrefix: "/etc/cni/net.d"
- pathPrefix: "/etc/kube-flannel"
- pathPrefix: "/run/flannel"
readOnlyRootFilesystem: false
# Users and groups
runAsUser:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
fsGroup:
rule: RunAsAny
# Privilege Escalation
allowPrivilegeEscalation: false
defaultAllowPrivilegeEscalation: false
# Capabilities
allowedCapabilities: ['NET_ADMIN']
defaultAddCapabilities: []
requiredDropCapabilities: []
# Host namespaces
hostPID: false
hostIPC: false
hostNetwork: true
hostPorts:
- min: 0
max: 65535
# SELinux
seLinux:
# SELinux is unused in CaaSP
rule: 'RunAsAny'
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: flannel
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames: ['psp.flannel.unprivileged']
- apiGroups:
 - ""
resources:
 - pods
verbs:
 - get
- apiGroups:
 - ""
resources:
 - nodes
verbs:
 - list
 - watch
- apiGroups:
 - ""
resources:
 - nodes/status
verbs:
 - patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flannel
namespace: kube-system
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
namespace: kube-system
labels:
tier: node
app: flannel
data:
cni-conf.json: |
{
 "name": "cbr0",
 "cniVersion": "0.3.1",
 "plugins": [
 {
 "type": "flannel",
 "delegate": {
 "hairpinMode": true,
 "isDefaultGateway": true
 }
 },
 {
 "type": "portmap",
 "capabilities": {
 "portMappings": true
 }
 }
 ]
}
net-conf.json: |
{
 "Network": "10.244.0.0/16",
 "Backend": {
 "Type": "vxlan"
 }
}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds-amd64
namespace: kube-system
labels:
tier: node
app: flannel
spec:
selector:
matchLabels:
 app: flannel
template:
metadata:
 labels:
 tier: node
 app: flannel
spec:
 affinity:
 nodeAffinity:
 requiredDuringSchedulingIgnoredDuringExecution:
 nodeSelectorTerms:
 - matchExpressions:
 - key: kubernetes.io/os
 operator: In
 values:
 - linux
 - key: kubernetes.io/arch
 operator: In
 values:
 - amd64
 hostNetwork: true
 tolerations:
 - operator: Exists
 effect: NoSchedule
 serviceAccountName: flannel
 initContainers:
 - name: install-cni
 image: quay.io/coreos/flannel:v0.12.0-amd64
 command:
 - cp
 args:
 - -f
 - /etc/kube-flannel/cni-conf.json
 - /etc/cni/net.d/10-flannel.conflist
 volumeMounts:
 - name: cni
 mountPath: /etc/cni/net.d
 - name: flannel-cfg
 mountPath: /etc/kube-flannel/
 containers:
 - name: kube-flannel
 image: quay.io/coreos/flannel:v0.12.0-amd64
 command:
 - /opt/bin/flanneld
 args:
 - --ip-masq
 - --kube-subnet-mgr
 resources:
 requests:
 cpu: "100m"
 memory: "50Mi"
 limits:
 cpu: "100m"
 memory: "50Mi"
 securityContext:
 privileged: false
 capabilities:
 add: ["NET_ADMIN"]
 env:
 - name: POD_NAME
 valueFrom:
 fieldRef:
 fieldPath: metadata.name
 - name: POD_NAMESPACE
 valueFrom:
 fieldRef:
 fieldPath: metadata.namespace
 volumeMounts:
 - name: run
 mountPath: /run/flannel
 - name: flannel-cfg
 mountPath: /etc/kube-flannel/
 volumes:
 - name: run
 hostPath:
 path: /run/flannel
 - name: cni
 hostPath:
 path: /etc/cni/net.d
 - name: flannel-cfg
 configMap:
 name: kube-flannel-cfg
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds-arm64
namespace: kube-system
labels:
tier: node
app: flannel
spec:
selector:
matchLabels:
 app: flannel
template:
metadata:
 labels:
 tier: node
 app: flannel
spec:
 affinity:
 nodeAffinity:
 requiredDuringSchedulingIgnoredDuringExecution:
 nodeSelectorTerms:
 - matchExpressions:
 - key: kubernetes.io/os
 operator: In
 values:
 - linux
 - key: kubernetes.io/arch
 operator: In
 values:
 - arm64
 hostNetwork: true
 tolerations:
 - operator: Exists
 effect: NoSchedule
 serviceAccountName: flannel
 initContainers:
 - name: install-cni
 image: quay.io/coreos/flannel:v0.12.0-arm64
 command:
 - cp
 args:
 - -f
 - /etc/kube-flannel/cni-conf.json
 - /etc/cni/net.d/10-flannel.conflist
 volumeMounts:
 - name: cni
 mountPath: /etc/cni/net.d
 - name: flannel-cfg
 mountPath: /etc/kube-flannel/
 containers:
 - name: kube-flannel
 image: quay.io/coreos/flannel:v0.12.0-arm64
 command:
 - /opt/bin/flanneld
 args:
 - --ip-masq
 - --kube-subnet-mgr
 resources:
 requests:
 cpu: "100m"
 memory: "50Mi"
 limits:
 cpu: "100m"
 memory: "50Mi"
 securityContext:
 privileged: false
 capabilities:
 add: ["NET_ADMIN"]
 env:
 - name: POD_NAME
 valueFrom:
 fieldRef:
 fieldPath: metadata.name
 - name: POD_NAMESPACE
 valueFrom:
 fieldRef:
 fieldPath: metadata.namespace
 volumeMounts:
 - name: run
 mountPath: /run/flannel
 - name: flannel-cfg
 mountPath: /etc/kube-flannel/
 volumes:
 - name: run
 hostPath:
 path: /run/flannel
 - name: cni
 hostPath:
 path: /etc/cni/net.d
 - name: flannel-cfg
 configMap:
 name: kube-flannel-cfg
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds-arm
namespace: kube-system
labels:
tier: node
app: flannel
spec:
selector:
matchLabels:
 app: flannel
template:
metadata:
 labels:
 tier: node
 app: flannel
spec:
 affinity:
 nodeAffinity:
 requiredDuringSchedulingIgnoredDuringExecution:
 nodeSelectorTerms:
 - matchExpressions:
 - key: kubernetes.io/os
 operator: In
 values:
 - linux
 - key: kubernetes.io/arch
 operator: In
 values:
 - arm
 hostNetwork: true
 tolerations:
 - operator: Exists
 effect: NoSchedule
 serviceAccountName: flannel
 initContainers:
 - name: install-cni
 image: quay.io/coreos/flannel:v0.12.0-arm
 command:
 - cp
 args:
 - -f
 - /etc/kube-flannel/cni-conf.json
 - /etc/cni/net.d/10-flannel.conflist
 volumeMounts:
 - name: cni
 mountPath: /etc/cni/net.d
 - name: flannel-cfg
 mountPath: /etc/kube-flannel/
 containers:
 - name: kube-flannel
 image: quay.io/coreos/flannel:v0.12.0-arm
 command:
 - /opt/bin/flanneld
 args:
 - --ip-masq
 - --kube-subnet-mgr
 resources:
 requests:
 cpu: "100m"
 memory: "50Mi"
 limits:
 cpu: "100m"
 memory: "50Mi"
 securityContext:
 privileged: false
 capabilities:
 add: ["NET_ADMIN"]
 env:
 - name: POD_NAME
 valueFrom:
 fieldRef:
 fieldPath: metadata.name
 - name: POD_NAMESPACE
 valueFrom:
 fieldRef:
 fieldPath: metadata.namespace
 volumeMounts:
 - name: run
 mountPath: /run/flannel
 - name: flannel-cfg
 mountPath: /etc/kube-flannel/
 volumes:
 - name: run
 hostPath:
 path: /run/flannel
 - name: cni
 hostPath:
 path: /etc/cni/net.d
 - name: flannel-cfg
 configMap:
 name: kube-flannel-cfg
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds-ppc64le
namespace: kube-system
labels:
tier: node
app: flannel
spec:
selector:
matchLabels:
 app: flannel
template:
metadata:
 labels:
 tier: node
 app: flannel
spec:
 affinity:
 nodeAffinity:
 requiredDuringSchedulingIgnoredDuringExecution:
 nodeSelectorTerms:
 - matchExpressions:
 - key: kubernetes.io/os
 operator: In
 values:
 - linux
 - key: kubernetes.io/arch
 operator: In
 values:
 - ppc64le
 hostNetwork: true
 tolerations:
 - operator: Exists
 effect: NoSchedule
 serviceAccountName: flannel
 initContainers:
 - name: install-cni
 image: quay.io/coreos/flannel:v0.12.0-ppc64le
 command:
 - cp
 args:
 - -f
 - /etc/kube-flannel/cni-conf.json
 - /etc/cni/net.d/10-flannel.conflist
 volumeMounts:
 - name: cni
 mountPath: /etc/cni/net.d
 - name: flannel-cfg
 mountPath: /etc/kube-flannel/
 containers:
 - name: kube-flannel
 image: quay.io/coreos/flannel:v0.12.0-ppc64le
 command:
 - /opt/bin/flanneld
 args:
 - --ip-masq
 - --kube-subnet-mgr
 resources:
 requests:
 cpu: "100m"
 memory: "50Mi"
 limits:
 cpu: "100m"
 memory: "50Mi"
 securityContext:
 privileged: false
 capabilities:
 add: ["NET_ADMIN"]
 env:
 - name: POD_NAME
 valueFrom:
 fieldRef:
 fieldPath: metadata.name
 - name: POD_NAMESPACE
 valueFrom:
 fieldRef:
 fieldPath: metadata.namespace
 volumeMounts:
 - name: run
 mountPath: /run/flannel
 - name: flannel-cfg
 mountPath: /etc/kube-flannel/
 volumes:
 - name: run
 hostPath:
 path: /run/flannel
 - name: cni
 hostPath:
 path: /etc/cni/net.d
 - name: flannel-cfg
 configMap:
 name: kube-flannel-cfg
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds-s390x
namespace: kube-system
labels:
tier: node
app: flannel
spec:
selector:
matchLabels:
 app: flannel
template:
metadata:
 labels:
 tier: node
 app: flannel
spec:
 affinity:
 nodeAffinity:
 requiredDuringSchedulingIgnoredDuringExecution:
 nodeSelectorTerms:
 - matchExpressions:
 - key: kubernetes.io/os
 operator: In
 values:
 - linux
 - key: kubernetes.io/arch
 operator: In
 values:
 - s390x
 hostNetwork: true
 tolerations:
 - operator: Exists
 effect: NoSchedule
 serviceAccountName: flannel
 initContainers:
 - name: install-cni
 image: quay.io/coreos/flannel:v0.12.0-s390x
 command:
 - cp
 args:
 - -f
 - /etc/kube-flannel/cni-conf.json
 - /etc/cni/net.d/10-flannel.conflist
 volumeMounts:
 - name: cni
 mountPath: /etc/cni/net.d
 - name: flannel-cfg
 mountPath: /etc/kube-flannel/
 containers:
 - name: kube-flannel
 image: quay.io/coreos/flannel:v0.12.0-s390x
 command:
 - /opt/bin/flanneld
 args:
 - --ip-masq
 - --kube-subnet-mgr
 resources:
 requests:
 cpu: "100m"
 memory: "50Mi"
 limits:
 cpu: "100m"
 memory: "50Mi"
 securityContext:
 privileged: false
 capabilities:
 add: ["NET_ADMIN"]
 env:
 - name: POD_NAME
 valueFrom:
 fieldRef:
 fieldPath: metadata.name
 - name: POD_NAMESPACE
 valueFrom:
 fieldRef:
 fieldPath: metadata.namespace
 volumeMounts:
 - name: run
 mountPath: /run/flannel
 - name: flannel-cfg
 mountPath: /etc/kube-flannel/
 volumes:
 - name: run
 hostPath:
 path: /run/flannel
 - name: cni
 hostPath:
 path: /etc/cni/net.d
 - name: flannel-cfg
 configMap:
 name: kube-flannel-cfg</pre>
</div>
 
<h3>附录代码三：key.txt</h3>
<div class="cnblogs_code">
<pre>W0526 16:17:20.680490 13760 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups
Using Kubernetes version: v1.21.0
Running pre-flight checks
: detected "cgroupfs" as the Docker cgroup driver. The recommended driver is "systemd". Please follow the guide at https://kubernetes.io/docs/setup/cri/
Pulling images required for setting up a Kubernetes cluster
This might take a minute or two, depending on the speed of your internet connection
You can also perform this action in beforehand using 'kubeadm config images pull'
Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
Starting the kubelet
Using certificateDir folder "/etc/kubernetes/pki"
Generating "ca" certificate and key
Generating "apiserver" certificate and key
apiserver serving cert is signed for DNS names and IPs [10.96.0.1 172.17.10.4]
Generating "apiserver-kubelet-client" certificate and key
Generating "front-proxy-ca" certificate and key
Generating "front-proxy-client" certificate and key
Generating "etcd/ca" certificate and key
Generating "etcd/server" certificate and key
etcd/server serving cert is signed for DNS names and IPs [172.17.10.4 127.0.0.1 ::1]
Generating "etcd/peer" certificate and key
etcd/peer serving cert is signed for DNS names and IPs [172.17.10.4 127.0.0.1 ::1]
Generating "etcd/healthcheck-client" certificate and key
Generating "apiserver-etcd-client" certificate and key
Generating "sa" key and public key
Using kubeconfig folder "/etc/kubernetes"
Writing "admin.conf" kubeconfig file
Writing "kubelet.conf" kubeconfig file
Writing "controller-manager.conf" kubeconfig file
Writing "scheduler.conf" kubeconfig file
Using manifest folder "/etc/kubernetes/manifests"
Creating static Pod manifest for "kube-apiserver"
Creating static Pod manifest for "kube-controller-manager"
W0526 16:18:02.560249 13760 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
Creating static Pod manifest for "kube-scheduler"
W0526 16:18:02.561130 13760 manifests.go:225] the default kube-apiserver authorization-mode is "Node,RBAC"; using "Node,RBAC"
Creating static Pod manifest for local etcd in "/etc/kubernetes/manifests"
Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s
All control plane components are healthy after 26.504466 seconds
Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
Creating a ConfigMap "kubelet-config-1.21" in namespace kube-system with the configuration for the kubelets in the cluster
Skipping phase. Please see --upload-certs
Marking the node node01 as control-plane by adding the label "node-role.kubernetes.io/master=''"
Marking the node node01 as control-plane by adding the taints
Using token: q3uu1o.4rdfkcyzxjhawvk1
Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles
configured RBAC rules to allow Node Bootstrap tokens to get nodes
configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
configured RBAC rules to allow certificate rotation for all node client certificates in the cluster
Creating the "cluster-info" ConfigMap in the "kube-public" namespace
Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key
Applied essential addon: CoreDNS
Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f .yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/

Then you can join any number of worker nodes by running the following on each as root:

kubeadm join 172.17.10.4:6443 --token q3uu1o.4rdfkcyzxjhawvk1 \
--discovery-token-ca-cert-hash sha256:a755d8f56733ba8f9d1951298b200202fce7b84389954bf7a38558fa6ce2a9c9 </pre>
</div>
<pre> </pre>
<h3> 附录代码四：recommended.yaml</h3>
 
<div class="cnblogs_code">
<pre># Copyright 2017 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

##############
##安装dashboard##
##############

apiVersion: v1
kind: Namespace
metadata:
name: kubernetes-dashboard

---

apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard

---

kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- port: 443
 targetPort: 8443
selector:
k8s-app: kubernetes-dashboard

---

apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque

---

apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
data:
csrf: ""

---

apiVersion: v1
kind: Secret
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque

---

kind: ConfigMap
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard

---

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
verbs: ["get"]

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubernetes-dashboard
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard

---

kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
 k8s-app: kubernetes-dashboard
template:
metadata:
 labels:
 k8s-app: kubernetes-dashboard
spec:
 containers:
 - name: kubernetes-dashboard
 image: kubernetesui/dashboard:v2.2.0
 imagePullPolicy: Always
 ports:
 - containerPort: 8443
 protocol: TCP
 args:
 - --auto-generate-certificates
 - --namespace=kubernetes-dashboard
 # Uncomment the following line to manually specify Kubernetes API server Host
 # If not specified, Dashboard will attempt to auto discover the API server and connect
 # to it. Uncomment only if the default does not work.
 # - --apiserver-host=http://my-address:port
 volumeMounts:
 - name: kubernetes-dashboard-certs
 mountPath: /certs
 # Create on-disk volume to store exec logs
 - mountPath: /tmp
 name: tmp-volume
 livenessProbe:
 httpGet:
 scheme: HTTPS
 path: /
 port: 8443
 initialDelaySeconds: 30
 timeoutSeconds: 30
 securityContext:
 allowPrivilegeEscalation: false
 readOnlyRootFilesystem: true
 runAsUser: 1001
 runAsGroup: 2001
 volumes:
 - name: kubernetes-dashboard-certs
 secret:
 secretName: kubernetes-dashboard-certs
 - name: tmp-volume
 emptyDir: {}
 serviceAccountName: kubernetes-dashboard
 nodeSelector:
 "kubernetes.io/os": linux
 # Comment the following tolerations if Dashboard must not be deployed on master
 tolerations:
 - key: node-role.kubernetes.io/master
 effect: NoSchedule

---

kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
ports:
- port: 8000
 targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper

---

kind: Deployment
apiVersion: apps/v1
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
 k8s-app: dashboard-metrics-scraper
template:
metadata:
 labels:
 k8s-app: dashboard-metrics-scraper
 annotations:
 seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
spec:
 containers:
 - name: dashboard-metrics-scraper
 image: kubernetesui/metrics-scraper:v1.0.6
 ports:
 - containerPort: 8000
 protocol: TCP
 livenessProbe:
 httpGet:
 scheme: HTTP
 path: /
 port: 8000
 initialDelaySeconds: 30
 timeoutSeconds: 30
 volumeMounts:
 - mountPath: /tmp
 name: tmp-volume
 securityContext:
 allowPrivilegeEscalation: false
 readOnlyRootFilesystem: true
 runAsUser: 1001
 runAsGroup: 2001
 serviceAccountName: kubernetes-dashboard
 nodeSelector:
 "kubernetes.io/os": linux
 # Comment the following tolerations if Dashboard must not be deployed on master
 tolerations:
 - key: node-role.kubernetes.io/master
 effect: NoSchedule
 volumes:
 - name: tmp-volume
 emptyDir: {}</pre>
</div>
 
 
 
<h3> 附录代码五：dashboard-svc-account.yaml</h3>
 
<div class="cnblogs_code">
<pre>##############
##配置dashboard管理员账号##
##############

apiVersion: v1
kind: ServiceAccount
metadata:
name: dashboard-admin
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dashboard-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: dashboard-admin
namespace: kube-system</pre>
</div>
 
 
<h3>附录代码六：kubernetes_node02.sh</h3>
 
<div class="cnblogs_code">
<pre>#!/bin/bash
##############
##子节点##
##############

#### 第一部分，环境初始化 ####
#k8s版本
version=v1.21.0
kubelet=kubelet-1.21.0-0.x86_64
kubeadm=kubeadm-1.21.0-0.x86_64
kubectl=kubectl-1.21.0-0.x86_64

#集群加入方式
key=/root/key.txt
#部署flannel网络
flannel=/root/kube-flannel.yml
#安装必要依赖
yum -y install vim wget git cmake make gcc gcc-c++ net-tools lrzsz

#### 第二部分，节点配置 ####
#配置节点，主机解析，免密登录
node01=172.17.10.4
node02=172.17.10.7
# node03=192.168.1.30
hostnamectl set-hostname node02
echo'172.17.10.4 node01
172.17.10.7 node02' >> /etc/hosts
ssh-keygen
ssh-copy-id-i $node01
ssh-copy-id-i $node02
# ssh-copy-id-i $node03
scp /etc/hosts node02:/etc/hosts
# scp /etc/hosts node03:/etc/hosts

#关闭防火墙
systemctl stop firewalld
systemctl disable firewalld
#swap分区关闭
swapoff -a
sed -i 's/.*swap.*/#&/' /etc/fstab
#关闭沙盒
setenforce0
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/sysconfig/selinux
sed -i "s/^SELINUX=permissive/SELINUX=disabled/g" /etc/selinux/config
#打开ipv6
modprobe br_netfilter
modprobeip_vs_rr
cat <<EOF >/etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
vm.swappiness = 0
EOF
sysctl -p /etc/sysctl.d/k8s.conf
ls /proc/sys/net/bridge

#### 第三部分，参数/源处理 ####
#安装epel源
yum install -y epel-release
yum install -y yum-utils device-mapper-persistent-data lvm2 net-tools conntrack-tools wget vimntpdate libseccomp libtool-ltdl
#时区校准
systemctl enable ntpdate.service
echo '*/30 * * * * /usr/sbin/ntpdate time7.aliyun.com >/dev/null 2>&1' > /tmp/crontab2.tmp
crontab /tmp/crontab2.tmp
systemctl start ntpdate.service
#添加参数
echo "* soft nofile 65536" >> /etc/security/limits.conf
echo "* hard nofile 65536" >> /etc/security/limits.conf
echo "* soft nproc 65536">> /etc/security/limits.conf
echo "* hard nproc 65536">> /etc/security/limits.conf
echo "* softmemlockunlimited">> /etc/security/limits.conf
echo "* hard memlockunlimited">> /etc/security/limits.conf
#添加kubernetes的epel源
echo '
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg' > /etc/yum.repos.d/kubernetes.repo
#下载
sudo yum-config-manager \
--add-repo \
https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
yum makecache fast

#### 第四部分，开始安装 ####
yum -y install docker-ce
yum install --enablerepo="kubernetes" $kubelet $kubeadm$kubectl
systemctl enable kubelet.service && systemctl start kubelet.service
systemctl start docker.service &&systemctl enable docker.service
#安装tab快捷键
yum -yinstall bash-completion && source /usr/share/bash-completion/bash_completion && source <(kubectl completion bash) && echo "source <(kubectl completion bash)" >> ~/.bashrc
#创建集群
docker pull quay.io/coreos/flannel:v0.12.0-amd64
echo'请手动查看主节点$key文件的密钥将其他节点接入集群'</pre>
</div>
 
 
<h3> 附录代码七：mandatory.yaml</h3>
<div class="cnblogs_code">
<pre>##############
##配置ingress-nginx服务##
##############
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

---

kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

---
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

---
kind: ConfigMap
apiVersion: v1
metadata:
name: udp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
 - ""
resources:
 - configmaps
 - endpoints
 - nodes
 - pods
 - secrets
verbs:
 - list
 - watch
- apiGroups:
 - ""
resources:
 - nodes
verbs:
 - get
- apiGroups:
 - ""
resources:
 - services
verbs:
 - get
 - list
 - watch
- apiGroups:
 - ""
resources:
 - events
verbs:
 - create
 - patch
- apiGroups:
 - "extensions"
 - "networking.k8s.io"
resources:
 - ingresses
verbs:
 - get
 - list
 - watch
- apiGroups:
 - "extensions"
 - "networking.k8s.io"
resources:
 - ingresses/status
verbs:
 - update

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
 - ""
resources:
 - configmaps
 - pods
 - secrets
 - namespaces
verbs:
 - get
- apiGroups:
 - ""
resources:
 - configmaps
resourceNames:
 # Defaults to "<election-id>-<ingress-class>"
 # Here: "<ingress-controller-leader>-<nginx>"
 # This has to be adapted if you change either parameter
 # when launching the nginx-ingress-controller.
 - "ingress-controller-leader-nginx"
verbs:
 - get
 - update
- apiGroups:
 - ""
resources:
 - configmaps
verbs:
 - create
- apiGroups:
 - ""
resources:
 - endpoints
verbs:
 - get

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx

---

apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
 app.kubernetes.io/name: ingress-nginx
 app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
 labels:
 app.kubernetes.io/name: ingress-nginx
 app.kubernetes.io/part-of: ingress-nginx
 annotations:
 prometheus.io/port: "10254"
 prometheus.io/scrape: "true"
spec:
 hostNetwork: true
 # wait up to five minutes for the drain of connections
 terminationGracePeriodSeconds: 300
 serviceAccountName: nginx-ingress-serviceaccount
 nodeSelector:
 Ingress: nginx
 kubernetes.io/os: linux
 containers:
 - name: nginx-ingress-controller
 image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.29.0
 args:
 - /nginx-ingress-controller
 - --configmap=$(POD_NAMESPACE)/nginx-configuration
 - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
 - --udp-services-configmap=$(POD_NAMESPACE)/udp-services
 - --publish-service=$(POD_NAMESPACE)/ingress-nginx
 - --annotations-prefix=nginx.ingress.kubernetes.io
 - --http-port=8080 # 如果你的master服务器已经安装了nginx，这里需要修改下，否则无法启动ingress-nginx服务
 - --https-port=8443 # 同上
 securityContext:
 allowPrivilegeEscalation: true
 capabilities:
 drop:
 - ALL
 add:
 - NET_BIND_SERVICE
 # www-data -> 101
 runAsUser: 101
 env:
 - name: POD_NAME
 valueFrom:
 fieldRef:
 fieldPath: metadata.name
 - name: POD_NAMESPACE
 valueFrom:
 fieldRef:
 fieldPath: metadata.namespace
 ports:
 - name: http
 containerPort: 80
 protocol: TCP
 - name: https
 containerPort: 443
 protocol: TCP
 livenessProbe:
 failureThreshold: 3
 httpGet:
 path: /healthz
 port: 10254
 scheme: HTTP
 initialDelaySeconds: 10
 periodSeconds: 10
 successThreshold: 1
 timeoutSeconds: 10
 readinessProbe:
 failureThreshold: 3
 httpGet:
 path: /healthz
 port: 10254
 scheme: HTTP
 periodSeconds: 10
 successThreshold: 1
 timeoutSeconds: 10
 lifecycle:
 preStop:
 exec:
 command:
 - /wait-shutdown

---

apiVersion: v1
kind: LimitRange
metadata:
name: ingress-nginx
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
limits:
- min:
 memory: 90Mi
 cpu: 100m
type: Container</pre>
</div>
 
 
<h3>参考文献：</h3>
https://blog.csdn.net/qq_37746855/article/details/116173976
https://blog.csdn.net/weixin_46152207/article/details/111355788
https://blog.csdn.net/catcher92/article/details/116207040
https://blog.51cto.com/u_14306186/2523096
 
<pre> </pre> 
来源：https://www.cnblogs.com/laozhang-is-phi/p/14819009.html

頁: [1]

琼殿技术论坛's Archiver

在Linux服务器，一键搭建1.21.0最新版K8s服务【脚本篇】