使用 kubeadm 在 GCP 部署 Kubernetes

Kubernetes

0. 介绍

最近在准备 CKA 考试,所以需要搭建一个 Kubernetes 集群来方便练习.GCP 平台新用户注册送 300 刀体验金,所以就想到用 kubeadm 在 GCP 弄个练练手,既方便又省钱.

这一套做下来,还是比较容易上手的,kubeadm 提供的是傻瓜式的安装体验,所以难度主要还是在科学上网和熟悉 GCP 的命令上,接下来就详细记述一下如何操作.

1. 准备

接下来的操作都假设已经设置好了科学上网,由于政策原因,具体做法请自行搜索;而且已经注册好了 GCP 账户,链接如下:GCP

1.1 gcloud 安装和配置

首先需要在本地电脑上安装 GCP 命令行客户端:gcloud,参考链接为:gcloud

因为众所周知的原因,gcloud 要能正常使用,要设置代理才可以,下面是设置 SOCKS5 代理的命令:

# gcloud config set proxy/type PROXY_TYPE
$ gcloud config set proxy/type socks5
# gcloud config set proxy/address PROXY_IP_ADDRESS
$ gcloud config set proxy/address 127.0.0.1
# gcloud config set proxy/port PROXY_PORT
$ gcloud config set proxy/address 1080

如果是第一次使用 GCP,需要先进行初始化.在初始化的过程中会有几次交互,使用默认选项即可.由于之前已经设置了代理,网络代理相关部分就可以跳过了.
注意:在选择 region(区域)时,建议选择 us-west2,原因是目前大部分 GCP 的 region,体验用户只能最多创建四个虚拟机实例,只有少数几个区域可以创建六个,其中就包括 us-west2,正常来讲,搭建 Kubernetes 需要三个 master,三个 worker,四个不太够用,当然如果只是试试的话,两个节点,一主一从,也够用了.

$ gcloud init 
Welcome! This command will take you through the configuration of gcloud.

Settings from your current configuration [profile-name] are:
core:
  disable_usage_reporting: 'True'

Pick configuration to use:
 [1] Re-initialize this configuration [profile-name] with new settings 
 [2] Create a new configuration
 [3] Switch to and re-initialize existing configuration: [default]
Please enter your numeric choice:  3

Your current configuration has been set to: [default]

You can skip diagnostics next time by using the following flag:
  gcloud init --skip-diagnostics

Network diagnostic detects and fixes local network connection issues.
Checking network connection...done.                                                                                                                                                                               
ERROR: Reachability Check failed.
    Cannot reach https://www.google.com (ServerNotFoundError)
    Cannot reach https://accounts.google.com (ServerNotFoundError)
    Cannot reach https://cloudresourcemanager.googleapis.com/v1beta1/projects (ServerNotFoundError)
    Cannot reach https://www.googleapis.com/auth/cloud-platform (ServerNotFoundError)
    Cannot reach https://dl.google.com/dl/cloudsdk/channels/rapid/components-2.json (ServerNotFoundError)
Network connection problems may be due to proxy or firewall settings.

Current effective Cloud SDK network proxy settings:
    type = socks5
    host = PROXY_IP_ADDRESS
    port = 1080
    username = None
    password = None

What would you like to do?
 [1] Change Cloud SDK network proxy properties
 [2] Clear all gcloud proxy properties
 [3] Exit
Please enter your numeric choice:  1

Select the proxy type:
 [1] HTTP
 [2] HTTP_NO_TUNNEL
 [3] SOCKS4
 [4] SOCKS5
Please enter your numeric choice:  4

Enter the proxy host address: 127.0.0.1

Enter the proxy port: 1080

Is your proxy authenticated (y/N)?  N

Cloud SDK proxy properties set.

Rechecking network connection...done.                                                                                                                                                                             
Reachability Check now passes.
Network diagnostic (1/1 checks) passed.

You must log in to continue. Would you like to log in (Y/n)?  y

Your browser has been opened to visit:

    https://accounts.google.com/o/oauth2/auth?redirect_uri=......


已在现有的浏览器会话中创建新的窗口。


Updates are available for some Cloud SDK components.  To install them,
please run:
  $ gcloud components update

You are logged in as: [<gmail account>].

Pick cloud project to use: 
 [1] <project-id>
 [2] Create a new project
Please enter numeric choice or text value (must exactly match list 
item):  1

Your current project has been set to: [<project-id>].

Your project default Compute Engine zone has been set to [us-west2-b].
You can change it by running [gcloud config set compute/zone NAME].

Your project default Compute Engine region has been set to [us-west2].
You can change it by running [gcloud config set compute/region NAME].

Created a default .boto configuration file at [/home/<username>/.boto]. See this file and
[https://cloud.google.com/storage/docs/gsutil/commands/config] for more
information about configuring Google Cloud Storage.
Your Google Cloud SDK is configured and ready to use!

* Commands that require authentication will use <gmail account> by default
* Commands will reference project `<project-id>` by default
* Compute Engine commands will use region `us-west2` by default
* Compute Engine commands will use zone `us-west2-b` by default

Run `gcloud help config` to learn how to change individual settings

This gcloud configuration is called [default]. You can create additional configurations if you work with multiple accounts and/or projects.
Run `gcloud topic configurations` to learn more.

Some things to try next:

* Run `gcloud --help` to see the Cloud Platform services you can interact with. And run `gcloud help COMMAND` to get help on any gcloud command.
* Run `gcloud topic -h` to learn about advanced features of the SDK like arg files and output formatting

1.2 GCP 资源创建

接下来创建 Kuernetes 所需的 GCP 资源.

第一步是创建网络和子网.

$ gcloud compute networks create cka --subnet-mode custom
$ gcloud compute networks subnets create kubernetes --network cka --range 10.240.0.0/24

接下来要创建防火墙规则,配置哪些端口是可以开放访问的.一共两条规则,一个外网,一个内网.
外网规则只需要开放 ssh, ping 和 kube-api 的访问就足够了:

$ gcloud compute firewall-rules create cka-external --allow tcp:22,tcp:6443,icmp --network cka --source-ranges 0.0.0.0/0

内网规则设置好 GCP 虚拟机网段和后面 pod 的网段可以互相访问即可,因为后面会使用 calico 作为网络插件,所以只开放 TCP, UDP 和 ICMP 是不够的,还需要开放 BGP,但 GCP 的防火墙规则中没哟 BGP 选项,所以放开全部协议的互通.

$ gcloud compute firewall-rules create cka-internal --network cka --allow=all --source-ranges 192.168.0.0/16,10.240.0.0/16

最后创建 GCP 虚拟机实例.

$ gcloud compute instances create controller-1 --async --boot-disk-size 200GB --can-ip-forward --image-family ubuntu-1804-lts --image-project ubuntu-os-cloud --machine-type n1-standard-1 --private-network-ip 10.240.0.11 --scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring --subnet kubernetes --tags cka,controller
$ gcloud compute instances create worker-1 --async --boot-disk-size 200GB --can-ip-forward --image-family ubuntu-1804-lts --image-project ubuntu-os-cloud --machine-type n1-standard-1 --private-network-ip 10.240.0.21 --scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring --subnet kubernetes --tags cka,worker

2. 主节点配置

使用 gcloud 登录 controller-1

$ gcloud compute ssh controller-1
WARNING: The public SSH key file for gcloud does not exist.
WARNING: The private SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/<username>/.ssh/google_compute_engine.
Your public key has been saved in /home/<username>/.ssh/google_compute_engine.pub.
The key fingerprint is:
SHA256:jpaZtzz42t7FjB1JV06GeVHhXVi12LF/a+lfl7TK2pw <username>@<username>
The key's randomart image is:
+---[RSA 2048]----+
|               O&|
|              B=B|
|            ...*o|
|           . o  .|
|        S   o  .o|
|       *   = .. *|
|      *.o . =  *o|
|     ..+.o .+ = o|
|      .+*....E .o|
+----[SHA256]-----+
Updating project ssh metadata...⠧Updated [https://www.googleapis.com/compute/v1/projects/<project-id>].                                                                                                  
Updating project ssh metadata...done.                                                                                                                                                                             
Waiting for SSH key to propagate.
Warning: Permanently added 'compute.2329485573714771968' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.1 LTS (GNU/Linux 4.15.0-1025-gcp x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Dec  5 03:05:31 UTC 2018

  System load:  0.0               Processes:           87
  Usage of /:   1.2% of 96.75GB   Users logged in:     0
  Memory usage: 5%                IP address for ens4: 10.240.0.11
  Swap usage:   0%


  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.


$ ssh -l<user-name> -i .ssh/google_compute_engine.pub 35.236.126.174

安装 kubeadm, docker, kubelet, kubectl.

$ sudo apt update
$ sudo apt upgrade -y
$ sudo apt-get install -y docker.io
$ sudo vim /etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
$ curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo  apt-key add -
OK
$ sudo apt update
$ sudo apt-get install -y \
kubeadm=1.12.2-00 kubelet=1.12.2-00 kubectl=1.12.2-00

kubeadm 初始化

$ sudo kubeadm init --pod-network-cidr 192.168.0.0/16

配置 calico 网络插件

$ wget https://tinyurl.com/yb4xturm \
-O rbac-kdd.yaml
$ wget https://tinyurl.com/y8lvqc9g \
-O calico.yaml
$ kubectl apply -f rbac-kdd.yaml
$ kubectl apply -f calico.yaml

配置 kubectl 的 bash 自动补全.

$ source <(kubectl completion bash)
$ echo "source <(kubectl completion bash)" >> ~/.bashrc

3. 从节点配置

这里偷懒了一下,从节点安装的包和主节点一模一样,大家可以根据需求,去掉一些不必要的包.

$ sudo apt-get update && sudo apt-get upgrade -y
$ apt-get install -y docker.io
$ sudo vim /etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
$ curl -s \
https://packages.cloud.google.com/apt/doc/apt-key.gpg \
| sudo apt-key add -
$ sudo apt-get update
$ sudo apt-get install -y \
kubeadm=1.12.2-00 kubelet=1.12.2-00 kubectl=1.12.2-00

如果此时 kubeadm init 命令中的 join 命令找不到了,或者 bootstrap token 过期了,该怎么办呢,下面就是解决方法.

$ sudo kubeadm token list
TOKEN TTL EXPIRES USAGES DESCRIPTION
27eee4.6e66ff60318da929 23h 2017-11-03T13:27:33Z
authentication,signing The default bootstrap token generated
by ’kubeadm init’....

$ sudo kubeadm token create
27eee4.6e66ff60318da929

$ openssl x509 -pubkey \
-in /etc/kubernetes/pki/ca.crt | openssl rsa \
-pubin -outform der 2>/dev/null | openssl dgst \
-sha256 -hex | sed ’s/^.* //’
6d541678b05652e1fa5d43908e75e67376e994c3483d6683f2a18673e5d2a1b0

最后执行 kubeadm join 命令.

$ sudo kubeadm join \
--token 27eee4.6e66ff60318da929 \
10.128.0.3:6443 \
--discovery-token-ca-cert-hash \
sha256:6d541678b05652e1fa5d43908e75e67376e994c3483d6683f2a18673e5d2a1b0

4. 参考文档

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 151,511评论 1 330
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 64,495评论 1 273
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 101,595评论 0 225
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 42,558评论 0 190
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 50,715评论 3 270
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 39,672评论 1 192
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 31,112评论 2 291
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 29,837评论 0 181
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 33,417评论 0 228
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 29,928评论 2 232
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 31,316评论 1 242
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 27,773评论 2 234
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 32,253评论 3 220
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 25,827评论 0 8
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 26,440评论 0 180
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 34,523评论 2 249
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 34,583评论 2 249

推荐阅读更多精彩内容