高阶k8s HA 集群搭建(一)
前言
尝到k8s甜头以后,我们就想着应用到生产环境里去,以提高业务迭代效率,可是部署在生产环境里有一个要求,就是k8s集群不可以存在单点故障。。。诶唷我的乖乖,这不就要求k8s集群高可用吗,好,下面就是介绍两种目前比较火的k8s集群master高可用方式。
介绍
首先介绍的第一种k8sHA集群我觉得更应该叫做主从结构k8s集群,它由三台master组成,有三个keepalived提供一个vip 来作为apiserver的ip入口,keepalived设置权重,使得vip落在权重大的master节点上,node节点通过访问这个vip从而访问到这一台master,另外两台master则通过etcd集群,来完成数据同步。
缺点:这样的集群是通过keepalived来实现高可用的,也就是说在权重较大的节点没有故障之前,keepalived所指向的流量永远都是经过主master,只有当主master出现故障或者宕机的情况下,才有可能转移到另外两台从master节点上。这样会导致主master节点压力过大,而另外两台从master可能永远不会被调用,导致资源浪费等等情况。
不过,这也是排除单点故障的一种方式。
下面是理想的高可用架构图。
k8s 理想HA高可用本文中要部署高可用的架构图:
本文高可用架构上图摘抄至https://www.kubernetes.org.cn/3536.html
好了,到此我们整理一下本文中需要使用的技术栈
keepalived+etcd+k8s master
其中keepalived提供vip供node做apiserver入口,etcd必须是高可用集群,实现数据同步;以及基本的k8s master节点部署。
安装准备
节点部署相关情况软件版本:
docker17.03.2-ce
socat-1.7.3.2-2.el7.x86_64
kubelet-1.10.0-0.x86_64
kubernetes-cni-0.6.0-0.x86_64
kubectl-1.10.0-0.x86_64
kubeadm-1.10.0-0.x86_64
以上软件在上一篇初阶k8s集群搭建里已经介绍并附有下载地址。
环境配置
systemctl stop firewalldsystemctl disable firewalld
修改每个节点hostname
cat < /etc/hosts > /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.100.1 master1
192.168.100.2 master2
192.168.100.3 master3
EOF
swapoff -a
sed -i 's/.*swap.*/#&/' /etc/fstab
setenforce 0
echo "* soft nofile 65536" >> /etc/security/limits.conf
echo "* hard nofile 65536" >> /etc/security/limits.conf
echo "* soft nproc 65536" >> /etc/security/limits.conf
echo "* hard nproc 65536" >> /etc/security/limits.conf
echo "* soft memlock unlimited" >> /etc/security/limits.conf
echo "* hard memlock unlimited" >> /etc/security/limits.conf
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.bridge.bridge-nf-call-iptables=1
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
sysctl -p
keepalived安装
libnfnetlink-devel-1.0.1-4.el7.x86_64.rpm
wget http://www.keepalived.org/software/keepalived-1.4.3tar.gz
yum install -y libnfnetlink-devel-1.0.1-4.el7.x86_64.rpm
yum -y install libnl libnl-devel
tar -xzvf keepalived-1.4.3.tar.gz
cd keepalived-1.4.3
./configure --prefix=/usr/local/keepalived #检查环境配置
出现上图即为正确环境,如果出现错误
checking openssl/ssl.h usability... no
checking openssl/ssl.h presence... no
checking foropenssl/ssl.h... no
configure: error:
!!! OpenSSL is not properly installed on your system. !!!
!!! Can not include OpenSSL headers files. !!!
则:安装openssl和openssl-devel包,然后从新编译配置文件。
yum install openssl openssl-devel
./configure --prefix=/usr/local/keepalived
make && make install
cp keepalived/etc/init.d/keepalived /etc/init.d/
mkdir /etc/keepalived
cp /usr/local/keepalived/etc/keepalived/keepalived.conf /etc/keepalived/
cp keepalived/etc/sysconfig/keepalived /etc/sysconfig/
cp /usr/local/keepalived/sbin/keepalived /usr/sbin/
ps -aux |grep keepalived
chkconfig keepalived on
通过systemctl status keepalived查看keepalived状态
三台master重复以上步骤,直到完成keepalived的安装。
安装完成后编写配置文件:
master1的keepalived.conf
cat >/etc/keepalived/keepalived.conf <<EOF
global_defs {
router_id LVS_k8s
}
vrrp_script CheckK8sMaster{
script "curl -k https://192.168.100.4:6443"
interval 3
timeout 9
fall 2
rise 2
}
vrrp_instance VI_1 {
state MASTER
interface ens33 #本机物理网卡名字,可通过ip a来查看
virtual_router_id 61
priority 120 # 主节点权重最高 依次减少
advert_int 1
mcast_src_ip 192.168.100.1 #修改为本地IP
nopreempt
authentication {
auth_type PASS
auth_pass awzhXylxy.T
}
unicast_peer{
#注释掉本地IP
#192.168.100.1
192.168.100.2
192.168.100.3
}
virtual_ipaddress {
192.168.100.4/22 #VIP
}
track_script {
#CheckK8sMaster#这个方法在没部署k8s之前最好注释掉,因为很可能因为这个报错
}
}
EOF
master2的keepalived.conf
cat >/etc/keepalived/keepalived.conf <
global_defs {
router_id LVS_k8s
}
vrrp_script CheckK8sMaster{
script "curl -k https://192.168.100.4:6443"
interval 3
timeout 9
fall 2
rise 2
}
vrrp_instance VI_1 {
state BACKUP
interface ens33 #本机物理网卡名字,可通过ip a来查看
virtual_router_id 61
priority 110 # 主节点权重最高 依次减少
advert_int 1
mcast_src_ip 192.168.100.2 #修改为本地IP
nopreempt
authentication {
auth_type PASS
auth_pass awzhXylxy.T
}
unicast_peer{
#注释掉本地IP
192.168.100.1
#192.168.100.2
192.168.100.3
}
virtual_ipaddress {
192.168.100.4/22 #VIP
}
track_script {
#CheckK8sMaster#这个方法在没部署k8s之前最好注释掉,因为很可能因为这个报错
}
}
EOF
master3的keepalived.conf
cat >/etc/keepalived/keepalived.conf <
global_defs {
router_id LVS_k8s
}
vrrp_script CheckK8sMaster{
script "curl -k https://192.168.100.4:6443"
interval 3
timeout 9
fall 2
rise 2
}
vrrp_instance VI_1 {
state BACKUP
interface ens33 #本机物理网卡名字,可通过ip a来查看
virtual_router_id 61
priority 100 # 主节点权重最高 依次减少
advert_int 1
mcast_src_ip 192.168.100.3 #修改为本地IP
nopreempt
authentication {
auth_type PASS
auth_pass awzhXylxy.T
}
unicast_peer{
#注释掉本地IP
192.168.100.1
192.168.100.2
#192.168.100.3
}
virtual_ipaddress {
192.168.100.4/22 #VIP
}
track_script {
#CheckK8sMaster#这个方法在没部署k8s之前最好注释掉,因为很可能因为这个报错
}
}
EOF
启动keepalived
systemctl restart keepalived
通过ip a可以查看
除了本机ip还多了一个虚拟ip也可以通过ping ip去验证vip是否生效。
安装ETCD
1:设置cfssl环境
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64
chmod +x cfssl_linux-amd64
mv cfssl_linux-amd64 /usr/local/bin/cfssl
chmod +x cfssljson_linux-amd64
mv cfssljson_linux-amd64 /usr/local/bin/cfssljson
chmod +x cfssl-certinfo_linux-amd64
mv cfssl-certinfo_linux-amd64 /usr/local/bin/cfssl-certinfoexport PATH=/usr/local/bin:$PATH
2:创建 CA 配置文件(下面配置的IP为etc节点的IP
mkdir /root/ssl
cd /root/ssl
cat > ca-config.json <<EOF
{"signing": {"default": { "expiry": "8760h"},"profiles": { "kubernetes-Soulmate": { "usages": [ "signing", "key encipherment", "server auth", "client auth" ], "expiry": "8760h" }}}}EOF
cat > ca-csr.json <<EOF
{"CN": "kubernetes-Soulmate","key": {"algo": "rsa","size": 2048},"names": [{ "C": "CN", "ST": "shanghai", "L": "shanghai", "O": "k8s", "OU": "System"}]}EOF
cfssl gencert -initca ca-csr.json | cfssljson -bare ca
cat > etcd-csr.json <<EOF
{ "CN": "etcd", "hosts": [ "127.0.0.1", "192.168.100.1", "192.168.100.2", "192.168.100.3" ], "key": { "algo": "rsa", "size": 2048 }, "names": [ { "C": "CN", "ST": "shanghai", "L": "shanghai", "O": "k8s", "OU": "System" } ]}EOF
cfssl gencert -ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=kubernetes-Soulmate etcd-csr.json | cfssljson -bare etcd
3:master1分发etcd证书到master2、master3上面
mkdir -p /etc/etcd/ssl
cp etcd.pem etcd-key.pem ca.pem /etc/etcd/ssl/
ssh -n master2 "mkdir -p /etc/etcd/ssl && exit"
ssh -n master3 "mkdir -p /etc/etcd/ssl && exit"
scp -r /etc/etcd/ssl/*.pem master2:/etc/etcd/ssl/
scp -r /etc/etcd/ssl/*.pem master3:/etc/etcd/ssl/
解压etcd-v3.3.2-linux-amd64.tar.gz并安装
wget https://github.com/coreos/etcd/releases/download/v3.3.2/etcd-v3.3.2-linux-amd64.tar.gz
tar -xzvf etcd-v3.3.2-linux-amd64.tar.gz
cd etcd-v3.3.2-linux-amd64
cp etcd* /bin/
#查看是否安装好
etcd -version
etcd Version: 3.3.2Git SHA: c9d46ab37Go Version: go1.9.4Go OS/Arch: linux/amd64
etcdctl -version
etcdctl version: 3.3.2API version: 2
在每一个master上都创建一个etcd存储目录mkdir -p /u03/etcd/
这里可以自行选择储存数据地址,但是要记得在下面配置文件中做修改
master1
cat <<EOF >/etc/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos
[Service]
Type=notify
WorkingDirectory=/u03/etcd/
ExecStart=/usr/bin/etcd \
--name master1 \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
--initial-advertise-peer-urls https://192.168.100.1:2380 \
--listen-peer-urls https://192.168.100.1:2380 \
--listen-client-urls https://192.168.100.1:2379,http://127.0.0.1:2379 \
--advertise-client-urls https://192.168.100.1:2379 \
--initial-cluster-token etcd-cluster-0 \
--initial-cluster master1=https://192.168.100.1:2380,master2=https://192.168.100.2:2380,master3=https://192.168.100.3:2380 \
--initial-cluster-state new \
--data-dir=/u03/etcd/
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
master2
cat <<EOF >/etc/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos
[Service]
Type=notify
WorkingDirectory=/u03/etcd/
ExecStart=/usr/bin/etcd \
--name master2 \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
--initial-advertise-peer-urls https://192.168.100.2:2380 \
--listen-peer-urls https://192.168.100.2:2380 \
--listen-client-urls https://192.168.100.2:2379,http://127.0.0.1:2379 \
--advertise-client-urls https://192.168.220.146:2379 \
--initial-cluster-token etcd-cluster-0 \
--initial-cluster master1=https://192.168.100.1:2380,master2=https://192.168.100.2:2380,master3=https://192.168.100.3:2380 \
--initial-cluster-state new \
--data-dir=/u03/etcd/
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
master3
cat <<EOF >/etc/systemd/system/etcd.service
[Unit]
Description=Etcd Server
After=network.target
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/coreos
[Service]
Type=notify
WorkingDirectory=/u03/etcd/
ExecStart=/usr/bin/etcd \
--name master3 \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem \
--peer-cert-file=/etc/etcd/ssl/etcd.pem \
--peer-key-file=/etc/etcd/ssl/etcd-key.pem \
--trusted-ca-file=/etc/etcd/ssl/ca.pem \
--peer-trusted-ca-file=/etc/etcd/ssl/ca.pem \
--initial-advertise-peer-urls https://192.168.100.3:2380 \
--listen-peer-urls https://192.168.100.3:2380 \
--listen-client-urls https://192.168.100.3:2379,http://127.0.0.1:2379 \
--advertise-client-urls https://192.168.100.3:2379 \
--initial-cluster-token etcd-cluster-0 \
--initial-cluster master1=https://192.168.100.1:2380,master2=https://192.168.100.2:2380,master3=https://192.168.100.3:2380 \
--initial-cluster-state new \
--data-dir=/u03/etcd/
Restart=on-failure
RestartSec=5
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target
EOF
每个master都执行以下命令以启动etcd集群
cd /etc/systemd/system/
mv etcd.service /usr/lib/systemd/system/
systemctl daemon-reload
systemctl enable etcd
systemctl restart etcd
systemctl status etcd
通过以下命令检测集群是否正常
etcdctl --endpoints=https://192.168.100.1:2379,https://192.168.100.2:2379,https://192.168.100.3:2379 \
--ca-file=/etc/etcd/ssl/ca.pem \
--cert-file=/etc/etcd/ssl/etcd.pem \
--key-file=/etc/etcd/ssl/etcd-key.pem cluster-health
keepalived+etcd安装完成后,开始部署k8s
安装docker、k8s相关rpm包,以及上传k8s相关镜像。请看我上一篇初阶k8s集群搭建。
所有节点修改kubelet配置文件
sed -i -e 's/cgroup-driver=systemd/cgroup-driver=cgroupfs/g' /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
重启kubelet
systemctl daemon-reload && systemctl restart kubelet
初始化集群,创建集群配置文件
# 生成token
# 保留token后面还要使用
我们使用coreDNS作为k8s集群内部DNS解析,使用canal作为网络服务
kubeadm token generate
cat <<EOF > config.yaml
apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
etcd:
endpoints:
- https://192.168.100.1:2379
- https://192.168.100.2:2379
- https://192.168.100.3:2379
caFile: /etc/etcd/ssl/ca.pem
certFile: /etc/etcd/ssl/etcd.pem
keyFile: /etc/etcd/ssl/etcd-key.pem
dataDir: /var/lib/etcd
networking:
podSubnet: 10.244.0.0/16
kubernetesVersion: 1.10.0
api:
advertiseAddress: "192.168.150.186"
token: "hpobow.vw1g1ya5dre7sq06" #刚刚保存的token
tokenTTL: "0s"#表示永不过期
apiServerCertSANs:
- master1
- master2
- master3
- 192.168.100.1
- 192.168.100.2
- 192.168.100.3
- 192.168.100.4
featureGates:
CoreDNS: true
EOF
编辑完成后执行kubeadm init --config config.yaml
如果失败则查看错误journalctl -xeu kubelet 查看服务启动日志或根据相关日志查看问题
通过kubeadm reset重置
注意,如果etcd已经写入数据,请先到etcd存储数据路径下清空数据记录。
若成功,你会看到以下内容
Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
https://kubernetes.io/docs/concepts/cluster-administration/addons/
You can now join any number of machines by running the following on each node
as root:
kubeadm join 192.168.100.1:6443 --token hpobow.vw1g1ya5dre7sq06 --discovery-token-ca-cert-hash sha256:f79b68fb698c92b9336474eb3bf184e847fgerbc58a6296911892662b98b1315
按照上面提示,此时root用户还不能使用kubelet控制集群需要,配置下环境变量
对于非root用户
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
对于root用户
echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile
source一下环境变量
source ~/.bash_profile
kubeadm生成证书密码文件分发到master2和master3上面去
scp -r /etc/kubernetes/pki master2:/etc/kubernetes/
scp -r /etc/kubernetes/pki master3:/etc/kubernetes/
部署canal网络,在master1执行
kubectl apply -f \
https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
kubectl apply-f \https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/canal.yaml
可能镜像下载需要一点时间,也可以先将yaml文件下载到本地,自行修改镜像路径,使用自己下载好的镜像
wget https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
wget https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/canal.yaml
等待部署好了之后查看当前节点是否准备好
[root@master1 ~]# kubectl get node
NAME STATUS ROLES AGE VERSION
master1 Ready master 31m v1.10.0
通过kubectl get pods --all-namespaces查看是否所有的容器都已经运行,如果出现error或crash,就使用kubectl describe pod -n kube-system来查看出现的问题。
在master2和master3上面分别执行初始化
使用之前在master1执行的配置config.yaml在另外两个节点上执行kubeadm init --config config.yaml,将获得与master1一样的结果
同样的配置下环境变量
对于非root用户
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
对于root用户
echo "export KUBECONFIG=/etc/kubernetes/admin.conf" >> ~/.bash_profile
source一下环境变量
source ~/.bash_profile
[root@master1 ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master1 Ready master 1h v1.10.0
master2 Ready master 1h v1.10.0
master3 Ready master 1h v1.10.0
查看所有节点运行的容器kubectl get pods --all-namespaces -o wide
这样,基本的主备模式的高可用就搭建完成了,若要部署dashboard请看我上一篇文章初阶k8s集群搭建,值得注意的是,设置dashboard的basicauth的方式进行apiserver的验证,这个设置需要在每一台master上执行以保证高可用。
另外,在k8s 1.10中想使用HPA需要在每个master节点 /etc/kubernetes/manifests/kube-controller-manager.yaml中增加 - --horizontal-pod-autoscaler-use-rest-clients=false 才可以监控到cpu使用率来完成自动扩容。
监控插件heapster
需要有heapster.yaml、influxdb.yaml、grafana.yaml
vim heapster.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: heapster
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: heapster
subjects:
- kind: ServiceAccount
name: heapster
namespace: kube-system
roleRef:
kind: ClusterRole
name: system:heapster
apiGroup: rbac.authorization.k8s.io
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: heapster
namespace: kube-system
spec:
replicas: 1
template:
metadata:
labels:
task: monitoring
k8s-app: heapster
spec:
serviceAccountName: heapster
containers:
- name: heapster
image: 192.168.220.84/third_party/heapster-amd64:v1.3.0 #这里我用的是自己的私服镜像地址
imagePullPolicy: IfNotPresent
command:
- /heapster
- --source=kubernetes:https://kubernetes.default
- --sink=influxdb:http://monitoring-influxdb.kube-system.svc:8086
---
apiVersion: v1
kind: Service
metadata:
labels:
task: monitoring
# For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
# If you are NOT using this as an addon, you should comment out this line.
kubernetes.io/cluster-service: 'true'
kubernetes.io/name: Heapster
name: heapster
namespace: kube-system
spec:
ports:
- port: 80
targetPort: 8082
selector:
k8s-app: heapster
vim influxdb.yaml
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: monitoring-influxdb
namespace: kube-system
spec:
replicas: 1
template:
metadata:
labels:
task: monitoring
k8s-app: influxdb
spec:
containers:
- name: influxdb
image: 192.168.220.84/third_party/heapster-influxdb-amd64:v1.1.1 #私服地址,需要自行更换
volumeMounts:
- mountPath: /data
name: influxdb-storage
volumes:
- name: influxdb-storage
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
labels:
task: monitoring
# For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
# If you are NOT using this as an addon, you should comment out this line.
kubernetes.io/cluster-service: 'true'
kubernetes.io/name: monitoring-influxdb
name: monitoring-influxdb
namespace: kube-system
spec:
ports:
- port: 8086
targetPort: 8086
selector:
k8s-app: influxdb
vim grafana.yaml
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: monitoring-grafana
namespace: kube-system
spec:
replicas: 1
template:
metadata:
labels:
task: monitoring
k8s-app: grafana
spec:
containers:
- name: grafana
image: 192.168.220.84/third_party/heapster-grafana-amd64:v4.4.1 #私服地址,需自行更换
ports:
- containerPort: 3000
protocol: TCP
volumeMounts:
- mountPath: /var
name: grafana-storage
env:
- name: INFLUXDB_HOST
value: monitoring-influxdb
- name: GF_SERVER_HTTP_PORT
value: "3000"
# The following env variables are required to make Grafana accessible via
# the kubernetes api-server proxy. On production clusters, we recommend
# removing these env variables, setup auth for grafana, and expose the grafana
# service using a LoadBalancer or a public IP.
- name: GF_AUTH_BASIC_ENABLED
value: "false"
- name: GF_AUTH_ANONYMOUS_ENABLED
value: "true"
- name: GF_AUTH_ANONYMOUS_ORG_ROLE
value: Admin
- name: GF_SERVER_ROOT_URL
# If you're only using the API Server proxy, set this value instead:
# value: /api/v1/proxy/namespaces/kube-system/services/monitoring-grafana/
value: /
volumes:
- name: grafana-storage
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
labels:
# For use as a Cluster add-on (https://github.com/kubernetes/kubernetes/tree/master/cluster/addons)
# If you are NOT using this as an addon, you should comment out this line.
kubernetes.io/cluster-service: 'true'
kubernetes.io/name: monitoring-grafana
name: monitoring-grafana
namespace: kube-system
spec:
# In a production setup, we recommend accessing Grafana through an external Loadbalancer
# or through a public IP.
# type: LoadBalancer
# You could also use NodePort to expose the service at a randomly-generated port
type: NodePort
ports:
- port: 80
targetPort: 3000
nodePort: 31236
selector:
k8s-app: grafana
执行kubectl apply -f heapster.yaml -f influxdb.yaml -f grafana.yaml
在dashboard上的展示效果
heapster展示 heapster展示 grafana展示加入的node工作节点
安装以下软件版本,文章开头有说道
docker17.03.2-ce
socat-1.7.3.2-2.el7.x86_64
kubelet-1.10.0-0.x86_64
kubernetes-cni-0.6.0-0.x86_64
kubectl-1.10.0-0.x86_64
kubeadm-1.10.0-0.x86_64
环境配置
systemctl stop firewalldsystemctl disable firewalld
修改每个节点hostname
cat < /etc/hosts > /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.100.1 master1
192.168.100.2 master2
192.168.100.3 master3
EOF
swapoff -a
sed -i 's/.*swap.*/#&/' /etc/fstab
setenforce 0
echo "* soft nofile 65536" >> /etc/security/limits.conf
echo "* hard nofile 65536" >> /etc/security/limits.conf
echo "* soft nproc 65536" >> /etc/security/limits.conf
echo "* hard nproc 65536" >> /etc/security/limits.conf
echo "* soft memlock unlimited" >> /etc/security/limits.conf
echo "* hard memlock unlimited" >> /etc/security/limits.conf
echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.bridge.bridge-nf-call-iptables=1
vim /etc/sysctl.conf
net.ipv4.ip_forward=1
net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1
sysctl -p
然后执行在master上留下的kubeadm join 192.168.100.1:6443 --token hpobow.vw1g1ya5dre7sq06 --discovery-token-ca-cert-hash sha256:f79b68fb698c92b9336474eb3bf184e847fgerbc58a6296911892662b98b1315即可。
主要参考文章: