kubeadm安装Kubernetes v1.24.0 docker

范范先生 發表於 2022-5-29 12:17:00

一、Kubernetes简介
Kubernetes（简称K8S）是开源的容器集群管理系统，可以实现容器集群的自动化部署、自动扩缩容、维护等功能。它既是一款容器编排工具，也是全新的基于容器技术的分布式架构领先方案。在Docker技术的基础上，为容器化的应用提供部署运行、资源调度、服务发现和动态伸缩等功能，提高了大规模容器集群管理的便捷性。
K8S集群中有管理节点与工作节点两种类型。管理节点主要负责K8S集群管理，集群中各节点间的信息交互、任务调度，还负责容器、Pod、NameSpaces、PV等生命周期的管理。工作节点主要为容器和Pod提供计算资源，Pod及容器全部运行在工作节点上，工作节点通过kubelet服务与管理节点通信以管理容器的生命周期，并与集群其他节点进行通信。
<img src="https://img2022.cnblogs.com/blog/1875656/202205/1875656-20220529121458000-805163363.webp">
二、参数调整与常用工具安装
1、配置hosts
<pre><code class="language-bash">cat <<EOF >> /etc/hosts
192.168.136.128 dev-128
EOF
</code></pre>
2.关闭防火墙、selinux和swap。
<pre><code class="language-bash">systemctl stop firewalld
systemctl disable firewalld
setenforce 0 #实时动态关闭
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config #禁止重启后自动开启
swapoff -a #实时动态关闭
sed -i '/ swap / s/^/#/' /etc/fstab #禁止重启后自动开启
</code></pre>
2.配置内核参数，将桥接的IPv4流量传递到iptables的链
<pre><code class="language-bash">cat <<EOF >/etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_forward = 1
vm.swappiness=0
EOF

modprobe br_netfilter#执行该命令如果不执行就会在应用k8s.conf时出现加载错误

sysctl -p /etc/sysctl.d/k8s.conf #应用配置文件

</code></pre>
3.配置国内yum源
<pre><code class="language-bash">mkdir -p /etc/yum.repos.d/bak
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak/
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
</code></pre>
4.配置国内Kubernetes源
<pre><code class="language-bash">cat <<EOF > /etc/yum.repos.d/kubernetes.repo

name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=0
repo_gpgcheck=0
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
</code></pre>
5.安装常用工具
<pre><code class="language-bash">yum clean all; yum makecache; yum update -y;
yum install -y vim wget
</code></pre>
6.主机时间同步
<pre><code class="language-bash">yum install -y ntp
systemctl enable ntpd && systemctl start ntpd
cat <<EOF >/etc/ntp.conf
driftfile /var/lib/ntp/drift
restrict default nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict ::1
server ntp.aliyun.com iburst
#server127.127.1.0iburst localclock
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
EOF
systemctl restart ntpd
</code></pre>
三、软件安装
1.安装docker
<pre><code class="language-bash"># step 1: 安装必要的一些系统工具
yum install -y yum-utils device-mapper-persistent-data lvm2
# Step 2: 添加软件源信息
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# Step 3: 更新并安装Docker-CE
yum makecache fast
yum -y install docker-ce
# Step 4: 开启Docker服务
systemctl start docker
# Step 5: 开机自启
systemctl enable docker

# 修改cgroup
cat > /etc/docker/daemon.json << EOF
{
"exec-opts": ["native.cgroupdriver=systemd"],
"registry-mirrors":["https://docker.mirrors.ustc.edu.cn/"]
}
EOF

systemctl daemon-reload
systemctl restart docker
</code></pre>
docker服务为容器运行提供计算资源，是所有容器运行的基本平台。
2.安装ipset、ipvsadm
<pre><code class="language-bash"># ipvs安装
yum install -y ipset ipvsadm

# 配置ipvsadm
cat > /etc/sysconfig/modules/ipvs.module <<EOF
#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_sh
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- nf_conntrack
EOF

# 授权运行
chmod 755 /etc/sysconfig/modules/ipvs.module && bash /etc/sysconfig/modules/ipvs.module
</code></pre>
3.安装cri-docker
<pre><code class="language-bash"># 下载文件
wget https://github.com/Mirantis/cri-dockerd/releases/download/v0.2.1/cri-dockerd-0.2.1.amd64.tgz
# 解压
tar -xvf cri-dockerd-0.2.1.amd64.tgz
# 复制二进制文件到指定目录
cp cri-dockerd/cri-dockerd /usr/bin/

# 配置启动文件
cat <<"EOF" > /usr/lib/systemd/system/cri-docker.service

Description=CRI Interface for Docker Application Container Engine
Documentation=https://docs.mirantis.com
After=network-online.target firewalld.service docker.service
Wants=network-online.target
Requires=cri-docker.socket

Type=notify

ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint=unix:///var/run/cri-docker.sock --network-plugin=cni --cni-bin-dir=/opt/cni/bin \
 --cni-conf-dir=/etc/cni/net.d --image-pull-progress-deadline=30s --pod-infra-container-image=registry.aliyuncs.com/google_containers/pause:3.7 \
 --docker-endpoint=unix:///var/run/docker.sock --cri-dockerd-root-directory=/var/lib/docker
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always

# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
# Both the old, and new location are accepted by systemd 229 and up, so using the old location
# to make them work for either version of systemd.
StartLimitBurst=3

# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
# this option work for either version of systemd.
StartLimitInterval=60s

# Having non-zero Limit*s causes performance problems due to accounting overhead
# in the kernel. We recommend using cgroups to do container-local accounting.
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity

# Comment TasksMax if your systemd version does not support it.
# Only systemd 226 and above support this option.
TasksMax=infinity
Delegate=yes
KillMode=process

WantedBy=multi-user.target

EOF

# 生成socket 文件
cat <<"EOF" > /usr/lib/systemd/system/cri-docker.socket

Description=CRI Docker Socket for the API
PartOf=cri-docker.service

ListenStream=/var/run/cri-dockerd.sock
SocketMode=0660
SocketUser=root
SocketGroup=docker

WantedBy=sockets.target

EOF

# 启动 cri-dockerd
systemctl daemon-reload
systemctl start cri-docker
#设置开机启动
systemctl enable cri-docker
# 查看启动状态
systemctl status cri-docker
</code></pre>
3.安装kubeadm、kubelet、kubectl
<pre><code class="language-bash">yum install -y kubelet kubeadm kubectl --disableexcludes=kubernetes
systemctl enable kubelet

cat <<EOF > /etc/sysconfig/kubelet
KUBELET_EXTRA_ARGS="--cgroup-driver=systemd"
EOF
</code></pre>
Kubelet负责与其他节点集群通信，并进行本节点Pod和容器生命周期的管理。Kubeadm是Kubernetes的自动化部署工具，降低了部署难度，提高效率。Kubectl是Kubernetes集群管理工具。
4、部署master 节点
获取默认的初始化参数文件
<pre><code class="language-bash">kubeadm config print init-defaults > init.default.yaml
</code></pre>
修改初始化参数文件
<pre><code class="language-bash">apiVersion: kubeadm.k8s.io/v1beta3
bootstrapTokens:
- groups:
- system:bootstrappers:kubeadm:default-node-token
token: abcdef.0123456789abcdef
ttl: 24h0m0s
usages:
- signing
- authentication
kind: InitConfiguration
localAPIEndpoint:
advertiseAddress: 192.168.136.128 #本机ip
bindPort: 6443
nodeRegistration:
criSocket: unix:///var/run/cri-docker.sock # 指定cri-docker
imagePullPolicy: IfNotPresent
name: dev-128 # 本机主机名
taints: null
---
apiServer:
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns: {}
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers # 阿里镜像仓库
kind: ClusterConfiguration
kubernetesVersion: 1.24.0
networking:
dnsDomain: cluster.local
serviceSubnet: 172.16.0.0/16 # svc子网
podSubnet: 10.224.0.0/16 # pod子网
scheduler: {}

# 指定ipvs
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: ipvs
</code></pre>
查看和拉取K8S集群需要的镜像
<pre><code class="language-bash">kubeadm config images list --config=init.default.yaml
kubeadm config images pull --config=init.default.yaml --v=5
</code></pre>
运行kubeadm init命令安装master
<pre><code class="language-bash">kubeadm init --config=init.default.yaml
# 重置如果有需要
kubeadm reset --cri-socket unix:///var/run/cri-docker.sock
</code></pre>
复制配置文件到home目录下
<pre><code class="language-bash">mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config
</code></pre>
查看节点
<pre><code class="language-bash"># kubectl get node
NAME STATUS ROLES AGE VERSION
dev-128 NotReady control-plane 32s v1.24.1
# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-74586cf9b6-ldkhs 0/1 Pending 0 19s
coredns-74586cf9b6-vwck7 0/1 Pending 0 19s
etcd-dev-128 1/1 Running 0 34s
kube-apiserver-dev-128 1/1 Running 0 34s
kube-controller-manager-dev-128 1/1 Running 0 35s
kube-proxy-xpghh 1/1 Running 0 19s
kube-scheduler-dev-128 1/1 Running 0 34s

# 取消master禁止调度
kubectl taint node dev-128 node-role.kubernetes.io/control-plane-
kubectl taint node dev-128 node-role.kubernetes.io/master-
</code></pre>
node为NotReady，因为还没有部署网络插件
5、安装calico网络插件
<pre><code class="language-bash">kubectl create -f https://projectcalico.docs.tigera.io/manifests/tigera-operator.yaml
curl https://projectcalico.docs.tigera.io/manifests/custom-resources.yaml -O

# 修改pod子网
vim custom-resources.yaml
cidr: 10.224.0.0/16

kubectl create -f custom-resources.yaml
</code></pre>
node为Ready
<pre><code class="language-bash"># kubectl get node
NAME STATUS ROLES AGE VERSION
dev-128 Ready control-plane 27m v1.24.1
# kubectl get pod -A -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
calico-apiserver calico-apiserver-7d46968c4c-8zx5g 0/1 ContainerCreating 0 25s <none> dev-128 <none> <none>
calico-apiserver calico-apiserver-7d46968c4c-gv4jw 0/1 ContainerCreating 0 25s <none> dev-128 <none> <none>
calico-system calico-kube-controllers-cfb87bcdc-rxfzj 1/1 Running 0 5m11s 10.224.225.194 dev-128 <none> <none>
calico-system calico-node-b5zgg 1/1 Running 0 5m11s 192.168.136.128 dev-128 <none> <none>
calico-system calico-typha-8666b5f96d-hhll4 1/1 Running 0 5m11s 192.168.136.128 dev-128 <none> <none>
kube-system coredns-74586cf9b6-ldkhs 1/1 Running 0 27m 10.224.225.195 dev-128 <none> <none>
kube-system coredns-74586cf9b6-vwck7 1/1 Running 0 27m 10.224.225.193 dev-128 <none> <none>
kube-system etcd-dev-128 1/1 Running 4 (6m6s ago) 27m 192.168.136.128 dev-128 <none> <none>
kube-system kube-apiserver-dev-128 1/1 Running 4 (5m56s ago) 27m 192.168.136.128 dev-128 <none> <none>
kube-system kube-controller-manager-dev-128 1/1 Running 4 (6m6s ago) 27m 192.168.136.128 dev-128 <none> <none>
kube-system kube-proxy-xpghh 1/1 Running 5 (6m6s ago) 27m 192.168.136.128 dev-128 <none> <none>
kube-system kube-scheduler-dev-128 1/1 Running 5 (6m6s ago) 27m 192.168.136.128 dev-128 <none> <none>
tigera-operator tigera-operator-5fb55776df-9kxlj 1/1 Running 0 13m 192.168.136.128 dev-128 <none> <none>
</code></pre>
6、安装ingress-nginx
<pre><code class="language-bash">vim ingress-nginx-deploy.yaml
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- ingress-controller-leader
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-controller
namespace: ingress-nginx
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
ports:
- appProtocol: http
name: http
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
 app.kubernetes.io/component: controller
 app.kubernetes.io/instance: ingress-nginx
 app.kubernetes.io/name: ingress-nginx
template:
metadata:
 labels:
 app.kubernetes.io/component: controller
 app.kubernetes.io/instance: ingress-nginx
 app.kubernetes.io/name: ingress-nginx
spec:
 containers:
 - args:
 - /nginx-ingress-controller
 - --election-id=ingress-controller-leader
 - --controller-class=k8s.io/ingress-nginx
 - --ingress-class=nginx
 - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
 - --validating-webhook=:8443
 - --validating-webhook-certificate=/usr/local/certificates/cert
 - --validating-webhook-key=/usr/local/certificates/key
 env:
 - name: POD_NAME
 valueFrom:
 fieldRef:
 fieldPath: metadata.name
 - name: POD_NAMESPACE
 valueFrom:
 fieldRef:
 fieldPath: metadata.namespace
 - name: LD_PRELOAD
 value: /usr/local/lib/libmimalloc.so
 image: registry.aliyuncs.com/google_containers/nginx-ingress-controller:v1.2.0
 imagePullPolicy: IfNotPresent
 lifecycle:
 preStop:
 exec:
 command:
 - /wait-shutdown
 livenessProbe:
 failureThreshold: 5
 httpGet:
 path: /healthz
 port: 10254
 scheme: HTTP
 initialDelaySeconds: 10
 periodSeconds: 10
 successThreshold: 1
 timeoutSeconds: 1
 name: controller
 ports:
 - containerPort: 80
 name: http
 protocol: TCP
 - containerPort: 443
 name: https
 protocol: TCP
 - containerPort: 8443
 name: webhook
 protocol: TCP
 readinessProbe:
 failureThreshold: 3
 httpGet:
 path: /healthz
 port: 10254
 scheme: HTTP
 initialDelaySeconds: 10
 periodSeconds: 10
 successThreshold: 1
 timeoutSeconds: 1
 resources:
 requests:
 cpu: 100m
 memory: 90Mi
 securityContext:
 allowPrivilegeEscalation: true
 capabilities:
 add:
 - NET_BIND_SERVICE
 drop:
 - ALL
 runAsUser: 101
 volumeMounts:
 - mountPath: /usr/local/certificates/
 name: webhook-cert
 readOnly: true
 dnsPolicy: ClusterFirst
 nodeSelector:
 kubernetes.io/os: linux
 serviceAccountName: ingress-nginx
 terminationGracePeriodSeconds: 300
 volumes:
 - name: webhook-cert
 secret:
 secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
 labels:
 app.kubernetes.io/component: admission-webhook
 app.kubernetes.io/instance: ingress-nginx
 app.kubernetes.io/name: ingress-nginx
 app.kubernetes.io/part-of: ingress-nginx
 app.kubernetes.io/version: 1.2.0
 name: ingress-nginx-admission-create
spec:
 containers:
 - args:
 - create
 - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
 - --namespace=$(POD_NAMESPACE)
 - --secret-name=ingress-nginx-admission
 env:
 - name: POD_NAMESPACE
 valueFrom:
 fieldRef:
 fieldPath: metadata.namespace
 image: registry.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1
 imagePullPolicy: IfNotPresent
 name: create
 securityContext:
 allowPrivilegeEscalation: false
 nodeSelector:
 kubernetes.io/os: linux
 restartPolicy: OnFailure
 securityContext:
 fsGroup: 2000
 runAsNonRoot: true
 runAsUser: 2000
 serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
 labels:
 app.kubernetes.io/component: admission-webhook
 app.kubernetes.io/instance: ingress-nginx
 app.kubernetes.io/name: ingress-nginx
 app.kubernetes.io/part-of: ingress-nginx
 app.kubernetes.io/version: 1.2.0
 name: ingress-nginx-admission-patch
spec:
 containers:
 - args:
 - patch
 - --webhook-name=ingress-nginx-admission
 - --namespace=$(POD_NAMESPACE)
 - --patch-mutating=false
 - --secret-name=ingress-nginx-admission
 - --patch-failure-policy=Fail
 env:
 - name: POD_NAMESPACE
 valueFrom:
 fieldRef:
 fieldPath: metadata.namespace
 image: registry.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1
 imagePullPolicy: IfNotPresent
 name: patch
 securityContext:
 allowPrivilegeEscalation: false
 nodeSelector:
 kubernetes.io/os: linux
 restartPolicy: OnFailure
 securityContext:
 fsGroup: 2000
 runAsNonRoot: true
 runAsUser: 2000
 serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.2.0
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
 name: ingress-nginx-controller-admission
 namespace: ingress-nginx
 path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

kubectl create -f ingress-nginx-deploy.yaml
</code></pre>
7、部署tomcat
<pre><code class="language-bash">vim tomcat.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deployment
spec:
replicas: 1
selector:
matchLabels:
 app: tomcat
template:
metadata:
 labels:
 app: tomcat
spec:
 containers:
 - name: tomcat
 image: tomcat:8.5.78-jdk8-openjdk
 ports:
 - containerPort: 8080

---
apiVersion: v1
kind: Service
metadata:
name: tomcat-svc
spec:
selector:
app: tomcat
ports:
- port: 80
targetPort: 8080

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tomcat-ingress
namespace: default
spec:
ingressClassName: nginx
rules:
- host: tomcat-demo.example.com
http:
 paths:
 - path: /
 pathType: Prefix
 backend:
 service:
 name: tomcat-svc
 port:
 number:80

kubectl create -f tomcat.yaml
</code></pre>
查看ingress-nginx svc 端口
<pre><code class="language-bash"># kubectl get svc -n ingress-nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller NodePort 172.16.170.174 <none> 80:32297/TCP,443:30407/TCP 14m
ingress-nginx-controller-admission ClusterIP 172.16.9.154 <none> 443/TCP 14m
</code></pre>
添加本地解析访问测试 
<img src="https://img2022.cnblogs.com/blog/1875656/202205/1875656-20220529121525450-411514239.webp"> 
来源：https://www.cnblogs.com/zz-code/p/16323591.html

頁: [1]

琼殿技术论坛's Archiver

kubeadm安装Kubernetes v1.24.0 docker