一步步部署k8s组件(下)

# k8s的CNI网络插件-Flannel

常见的CNI网络插件

    Flannel
    Calico
    Canal
    Contiv
    OpenContrail
    NSX-T
    kube-route

github下载地址🤞🤞 (opens new window)

v0.11.0 (opens new window)

# etcd添加子网段(host-gw)

部署了etcd任意主机

#设置
/opt/etcd/etcdctl set /coreos.com/network/config '{"network": "172.14.0.0/16","backend": {"Type": "host-gw"}}'

#查看
/opt/etcd/etcdctl get /coreos.com/network/config

1
2
3
4
5

笔记

VxLAN模型-网络隧道

/opt/etcd/etcdctl set /coreos.com/network/config '{"network": "172.14.0.0/16","backend": {"Type": "VxLAN"}}'

直接路由模型

/opt/etcd/etcdctl set /coreos.com/network/config '{"network": "172.14.0.0/16","backend": {"Type": "VxLAN","Directrouting": true"}}'

# 部署flannel

【192.168.14.21，192.168.14.22，所有kubelet 节点】 主机部署flanneld 组网

下载，配置证书和脚本

cd /root/soft

mkdir /opt/flannel-v0.11.0/certs
ln -s /opt/flannel-v0.11.0/ /opt/flannel

wget https://github.com/coreos/flannel/releases/download/v0.11.0/flannel-v0.11.0-linux-amd64.tar.gz

tar xf flannel-v0.11.0-linux-amd64.tar.gz -C /opt/flannel

cd /opt/flannel/certs

cp /opt/kubernetes/server/bin/certs/{ca.pem,client-key.pem,client.pem} ./
#上传或者拷贝 3个pem 文件【ca.pem client-key.pem client.pem】，连接etcd

chmod 600 ./*-key.pem

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

添加网络变量文件

cd /opt/flannel && vi subnet.env

修改子网网段

FLANNEL_NETWORK=172.14.0.0/16
FLANNEL_SUBNET=172.14.21.1/24
FLANNEL_MTU=1500
FLANNEL_IPMASQ=false

1
2
3
4

# supervisord管理flanneld服务

vi /etc/supervisord.d/flanneld.ini

[program:flanneld-14-21]
command=/opt/flannel/flanneld.sh                                ; the program (relative uses PATH, can take args)
numprocs=1                                                      ; number of processes copies to start (def 1)
directory=/opt/flannel                                          ; directory to cwd to before exec (def no cwd)
autostart=true                                                  ; start at supervisord start (default: true)
autorestart=true                                                ; retstart at unexpected quit (default: true)
startsecs=30                                                    ; number of secs prog must stay running (def. 1)
startretries=3                                                  ; max # of serial start failures (default 3)
exitcodes=0,2                                                   ; 'expected' exit codes for process (default 0,2)
stopsignal=QUIT                                                 ; signal used to kill process (default TERM)
stopwaitsecs=10                                                 ; max num secs to wait b4 SIGKILL (default 10)
user=root                                                       ; setuid to this UNIX account to run the program
redirect_stderr=true                                            ; redirect proc stderr to stdout (default false)
stdout_logfile=/data/logs/flanneld/flanneld.stdout.log          ; stderr log path, NONE for none; default AUTO
stdout_logfile_maxbytes=64MB                                    ; max # logfile bytes b4 rotation (default 50MB)
stdout_logfile_backups=4                                        ; # of stdout logfile backups (default 10)
stdout_capture_maxbytes=1MB                                     ; number of bytes in 'capturemode' (default 0)
stdout_events_enabled=false                                     ; emit events on stdout writes (default false)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

#添加启动脚本，修改IP
wget  https://download.yfklife.cn/blog/?/flanneld/flanneld.sh -O /opt/flannel/flanneld.sh

chmod +x /opt/flannel/flanneld.sh
mkdir -p /data/logs/flanneld

1
2
3
4
5

更新supervisorctl 服务

supervisorctl update
supervisorctl status

1
2

# flannel之SNAT规则优化

#安装iptables
yum install iptables-services -y

#启动iptables,
systemctl enable iptables.service
systemctl start iptables.service

#删除默认拒绝的连接
iptables-save |grep -i reject

iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited

#修改MASQUERADE规则

iptables-save |grep -i postrouting

iptables -t nat -D  POSTROUTING -s 172.14.21.0/24 ! -o docker0 -j MASQUERADE
iptables -t nat -I  POSTROUTING -s 172.14.21.0/24 ! -d 172.14.0.0/16 ! -o docker0 -j MASQUERADE

#保存
iptables-save >/etc/sysconfig/iptables

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

在重启机器的时候，发现iptables未起来，暂时没有找到解决办法

# coreDNS

优缺点

对比来源 (opens new window)

优点

    非常灵活的配置，可以根据不同的需求给不同的域名配置不同的插件
    k8s 1.9 版本后的默认的 dns 解析

缺点

    缓存的效率不如 dnsmasq，对集群内部域名解析的速度不如 kube-dns （10% 左右）

性能

    对于内部域名解析 KubeDNS 要优于 CoreDNS 大约 10%，可能是因为 dnsmasq 对于缓存的优化会比 CoreDNS 要好
    对于外部域名 CoreDNS 要比 KubeDNS 好 3 倍。但这个值大家看看就好，因为 kube-dns 不会缓存 Negative cache。但即使 kubeDNS 使用了 Negative cache，表现仍然也差不多
    CoreDNS 的内存占用情况会优于 KubeDNS

# coreDNS部署

coreDNS的github托管地址 (opens new window)

coreDNS的docker仓库地址 (opens new window)

拉取镜像，打tag

#拉起官方镜像，上传到私服

docker pull coredns/coredns:1.6.1 
docker tag c0f6e815079e harbor.yfklife.cn/public/coredns/coredns:1.6.1
docker push harbor.yfklife.cn/public/coredns/coredns:1.6.1

1
2
3
4
5

获取资源清单

github下载链接coredns.yaml (opens new window)

拆分成单个服务yaml

test -d /opt/application || mkdir /opt/application
cd /opt/application

wget https://download.yfklife.cn/blog/?/coredns/coredns-v1.6.1.zip
unzip coredns-v1.6.1.zip && cd coredns

1
2
3
4
5

创建应用

 kubectl apply -f rbac.yaml 
 kubectl apply -f ConfigMap.yaml 
 kubectl apply -f Deployment.yaml 
 kubectl apply -f Service.yaml 
 
 #获取pod状态
kubectl get all -n kube-system

1
2
3
4
5
6
7

陈述式创建deployment和service,检查

#创建
kubectl create deployment nginx-dp --image=harbor.yfklife.cn/public/nginx:1.13.6 -n kube-public
kubectl expose deployment nginx-dp --port=80 -n kube-public

#检查
kubectl get all -n kube-public

dig -t -A nginx-dp.kube-public.svc.cluster.local.  @10.254.0.2 +short

1
2
3
4
5
6
7
8

# Traefik

Ingress 是k8s API的标准资源类型之一，也是一种核心资源，它其实就是一种基于域名和URL路径，把用户的请求转发至指定Service资源的规则，可以将集群外部的请求流量，转发至集群内部，从而实现“服务暴露”

Ingress只能调度并暴露7层应用，特指http和https协议

github地址 (opens new window)

dockerHub下载地址 (opens new window)

# traefik部署

# 获取资源清单

V1.7.34

下载docker镜像

docker pull traefik:v1.7.34-alpine
docker tag traefik:v1.7.34-alpine harbor.yfklife.cn/public/traefik:v1.7.34
docker push harbor.yfklife.cn/public/traefik:v1.7.34

1
2
3

github获取资源清单v1.7 (opens new window)

配置k8s yaml文件

cd /opt/application
wget https://download.yfklife.cn/blog/public/kubernetes/traefik-v1.7.34.zip 
unzip traefik-v1.7.34.zip && cd traefik

1
2
3

V2.4.6

下载docker镜像

docker pull traefik:2.4.6
docker tag traefik:2.4.6 harbor.yfklife.cn/public/traefik:v2.4.6
docker push harbor.yfklife.cn/public/traefik:v2.4.6

1
2
3

配置k8s yaml文件

cd /opt/application
wget https://download.yfklife.cn/blog/?/traefik/traefik-v2.zip
unzip traefik-v2.zip && cd traefik

1
2
3

# 创建应用

#创建空间名
kubectl create ns traefik

#创建
kubectl apply -f rabc-traefik.yaml 
kubectl apply -f DaemonSet-traefik.yaml
kubectl apply -f Service-traefik.yaml 
kubectl apply -f dashboard.yaml 

#查看
kubectl get -n traefik all
kubectl get ingressroutes.traefik.containo.us -n traefik

1
2
3
4
5
6
7
8
9
10
11
12

说明

    1.node计算节点【192.168.14.21，192.168.14.22】
    2.在这里我的"hostPort: 3000"暴露的端口是3000
    3.在nginx主备节点都需要配置【192.168.14.11，192.168.14.12】，防止以后nginx出现故障，而找不到traefik的nginx配置
    4.nginx通过keepalived做的虚拟IP漂移，在bind服务器域名解析用虚拟IP【192.168.14.10】

# traefik使用hostPort

#创建空间名
kubectl create ns traefik

#创建
kubectl apply -f rabc-traefik.yaml 
kubectl apply -f DaemonSet-traefik-hostport.yaml #如果端口占用修改args端口
kubectl apply -f dashboard.yaml

#查看
kubectl get -n traefik all
kubectl get ingressroutes.traefik.containo.us -n traefik

1
2
3
4
5
6
7
8
9
10
11

# 添加nginx配置

模糊匹配,如果需要配置https,可以使用泛域名证书

vi /etc/nginx/sites-enabled/yfklife.cn.conf

upstream backend_traefik {
    server 192.168.14.21:3000 max_fails=3 fail_timeout=10s;
    server 192.168.14.22:3000 max_fails=3 fail_timeout=10s;
}

server {
    server_name *.yfklife.cn;
    listen 80;
    
    #listen 443 ssl;
    #ssl_certificate         ssl/yfklife.cn.crt;
    #ssl_certificate_key     ssl/yfklife.cn.key;
    #ssl_session_timeout     10m;
    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #ssl_ciphers HIGH:!aNULL:!MD5:!EXPORT56:!EXP;
    #ssl_prefer_server_ciphers on;
    #ssl_session_cache shared:SSL:10m;
    
    location / {
    proxy_pass http://backend_traefik;
    proxy_set_header Host $http_host;
    proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    }
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

访问：http://traefik.yfklife.cn/

traefik_v1.7

traefik_v2

加Basic认证(traefik_v2)

这里生成的密钥，因还需要在 kubernetes 中作为资源对象来使用，我们还需要进行一下 base64 编码

yum install httpd-tools -y

[root@hdss14-200 ~]# htpasswd -nb admin Admin@#$234 |base64  # 生成用户密码信息，并转换为 base64
YWRtaW46JGFwcjEkdVZIc0IwUVUkUUVld1lvUlJhaWlTMHlPRlBXU1ZKMQoK

1
2
3
4

生成ingress

vi authsecret-dashboard.yaml

apiVersion: v1
kind: Secret
metadata:
  name: authsecret
  namespace: traefik 
data:
  users: YWRtaW46JGFwcjEkY0VWVTd5Y04kVmdFWmxxclpycjY1QW9mVGh3SjB2MAoK
  
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dashboard-auth
  namespace: traefik
spec:
  basicAuth:
    secret: authsecret
    removeHeader: true
    
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: traefik
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`traefik.yfklife.cn`)  
    kind: Rule
    services:
    - name: api@internal  # 内置资源
      kind: TraefikService 
    middlewares: 
    - name: dashboard-auth

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

创建ingress

kubectl delete -f dashboard.yaml #删除刚刚创建的ingres
kubectl apply -f authsecret-dashboard.yaml

1
2

再次访问就需要输入用户密码访问了： admin/Admin@#$234

# 个人存储下载地址。。。

点击，获取下面下载资源

flanneld.sh
flannel-v0.11.0-linux-amd64.tar.gz
coredns-v1.6.1.zip
traefik-v1.7.34.zip 
traefik-v2.zip

1
2
3
4
5

如果此文章对您有帮助，点击 -->> 请博主喝咖啡

上次更新: 2023/11/20, 16:23:11

← 一步步部署k8s组件(中) kubelet常用命令→