第一章:安装 Kubernetes

版本 v 1.21.10

1.1 主机规划

角色 IP地址 hostname 操作系统 配置
Master 192.168.65.100 k8s-master CentOS 7.9,基础设施服务器 2核CPU,4G内存,40G硬盘
Node1 192.168.65.101 k8s-node1 CentOS 7.9,基础设施服务器 2核CPU,4G内存,40G硬盘
Node2 192.168.65.102 k8s-node2 CentOS 7.9,基础设施服务器 2核CPU,4G内存,40G硬盘
Node3 192.168.65.103 k8s-node3 CentOS 7.9,基础设施服务器 2核CPU,4G内存,40G硬盘

1.2 安装 Kubernetes

  • 略(本人采取的是 kubeadm 的安装方式)。

第二章 安装 metrics-server

1.1 概述

  • metrics-server 是 k8 平台的基本指标监控组件。

1.2 安装

  • 命令:
  1. vi k8s-metrics.yaml
  1. apiVersion: v1
  2. kind: ServiceAccount
  3. metadata:
  4.   labels:
  5.     k8s-app: metrics-server
  6.   name: metrics-server
  7.   namespace: kube-system
  8. ---
  9. apiVersion: rbac.authorization.k8s.io/v1
  10. kind: ClusterRole
  11. metadata:
  12.   labels:
  13.     k8s-app: metrics-server
  14.     rbac.authorization.k8s.io/aggregate-to-admin: "true"
  15.     rbac.authorization.k8s.io/aggregate-to-edit: "true"
  16.     rbac.authorization.k8s.io/aggregate-to-view: "true"
  17.   name: system:aggregated-metrics-reader
  18. rules:
  19. - apiGroups:
  20.   - metrics.k8s.io
  21.   resources:
  22.   - pods
  23.   - nodes
  24.   verbs:
  25.   - get
  26.   - list
  27.   - watch
  28. ---
  29. apiVersion: rbac.authorization.k8s.io/v1
  30. kind: ClusterRole
  31. metadata:
  32.   labels:
  33.     k8s-app: metrics-server
  34.   name: system:metrics-server
  35. rules:
  36. - apiGroups:
  37.   - ""
  38.   resources:
  39.   - nodes/metrics
  40.   verbs:
  41.   - get
  42. - apiGroups:
  43.   - ""
  44.   resources:
  45.   - pods
  46.   - nodes
  47.   verbs:
  48.   - get
  49.   - list
  50.   - watch
  51. ---
  52. apiVersion: rbac.authorization.k8s.io/v1
  53. kind: RoleBinding
  54. metadata:
  55.   labels:
  56.     k8s-app: metrics-server
  57.   name: metrics-server-auth-reader
  58.   namespace: kube-system
  59. roleRef:
  60.   apiGroup: rbac.authorization.k8s.io
  61.   kind: Role
  62.   name: extension-apiserver-authentication-reader
  63. subjects:
  64. - kind: ServiceAccount
  65.   name: metrics-server
  66.   namespace: kube-system
  67. ---
  68. apiVersion: rbac.authorization.k8s.io/v1
  69. kind: ClusterRoleBinding
  70. metadata:
  71.   labels:
  72.     k8s-app: metrics-server
  73.   name: metrics-server:system:auth-delegator
  74. roleRef:
  75.   apiGroup: rbac.authorization.k8s.io
  76.   kind: ClusterRole
  77.   name: system:auth-delegator
  78. subjects:
  79. - kind: ServiceAccount
  80.   name: metrics-server
  81.   namespace: kube-system
  82. ---
  83. apiVersion: rbac.authorization.k8s.io/v1
  84. kind: ClusterRoleBinding
  85. metadata:
  86.   labels:
  87.     k8s-app: metrics-server
  88.   name: system:metrics-server
  89. roleRef:
  90.   apiGroup: rbac.authorization.k8s.io
  91.   kind: ClusterRole
  92.   name: system:metrics-server
  93. subjects:
  94. - kind: ServiceAccount
  95.   name: metrics-server
  96.   namespace: kube-system
  97. ---
  98. apiVersion: v1
  99. kind: Service
  100. metadata:
  101.   labels:
  102.     k8s-app: metrics-server
  103.   name: metrics-server
  104.   namespace: kube-system
  105. spec:
  106.   ports:
  107.   - name: https
  108.     port: 443
  109.     protocol: TCP
  110.     targetPort: https
  111.   selector:
  112.     k8s-app: metrics-server
  113. ---
  114. apiVersion: apps/v1
  115. kind: Deployment
  116. metadata:
  117.   labels:
  118.     k8s-app: metrics-server
  119.   name: metrics-server
  120.   namespace: kube-system
  121. spec:
  122.   selector:
  123.     matchLabels:
  124.       k8s-app: metrics-server
  125.   strategy:
  126.     rollingUpdate:
  127.       maxUnavailable: 0
  128.   template:
  129.     metadata:
  130.       labels:
  131.         k8s-app: metrics-server
  132.     spec:
  133.       containers:
  134.       - args:
  135.         - --cert-dir=/tmp
  136.         - --secure-port=4443
  137.         - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
  138.         - --kubelet-use-node-status-port
  139.         - --metric-resolution=15s
  140.         - --kubelet-insecure-tls # 使用非安全的协议
  141.         image: bitnami/metrics-server:0.6.1   # k8s.gcr.io/metrics-server/metrics-server:v0.6.1
  142.         imagePullPolicy: IfNotPresent
  143.         livenessProbe:
  144.           failureThreshold: 3
  145.           httpGet:
  146.             path: /livez
  147.             port: https
  148.             scheme: HTTPS
  149.           periodSeconds: 10
  150.         name: metrics-server
  151.         ports:
  152.         - containerPort: 4443
  153.           name: https
  154.           protocol: TCP
  155.         readinessProbe:
  156.           failureThreshold: 3
  157.           httpGet:
  158.             path: /readyz
  159.             port: https
  160.             scheme: HTTPS
  161.           initialDelaySeconds: 20
  162.           periodSeconds: 10
  163.         resources:
  164.           requests:
  165.             cpu: 100m
  166.             memory: 200Mi
  167.         securityContext:
  168.           allowPrivilegeEscalation: false
  169.           readOnlyRootFilesystem: true
  170.           runAsNonRoot: true
  171.           runAsUser: 1000
  172.         volumeMounts:
  173.         - mountPath: /tmp
  174.           name: tmp-dir
  175.       nodeSelector:
  176.         kubernetes.io/os: linux
  177.       priorityClassName: system-cluster-critical
  178.       serviceAccountName: metrics-server
  179.       volumes:
  180.       - emptyDir: {}
  181.         name: tmp-dir
  182. ---
  183. apiVersion: apiregistration.k8s.io/v1
  184. kind: APIService
  185. metadata:
  186.   labels:
  187.     k8s-app: metrics-server
  188.   name: v1beta1.metrics.k8s.io
  189. spec:
  190.   group: metrics.k8s.io
  191.   groupPriorityMinimum: 100
  192.   insecureSkipTLSVerify: true
  193.   service:
  194.     name: metrics-server
  195.     namespace: kube-system
  196.   version: v1beta1
  197.   versionPriority: 100
  1. kubectl apply -f k8s-metrics.yaml

1.gif

第三章 安装 ingress-nginx

2.1 概述

  • ingress-nginx 是 k8s 平台的七层负载均衡组件。

注意:

  • 部署 ingress 的 node 节点会自动开启节点的 80和443 端口,保证这个机器端口不会被占用。
  • 默认 ingress-ngin x在每个节点没有 CPU、MEMORY 最大配额限制;可以按照公司架构需求修改 resoources.limits 相关字段。

2.2 安装

  • 给集群中需要暴露的 ingress-nginx 的机器节点上打上 node-role=ingress 标签,如:
  1. kubectl label node k8s-node1 node-role=ingress
  1. kubectl label node k8s-node2 node-role=ingress
  1. kubectl label node k8s-node3 node-role=ingress

2.gif

  • 安装 ingress
  1. vi k8s-ingress.yaml
  1. #GENERATED FOR K8S 1.20
  2. apiVersion: v1
  3. kind: Namespace
  4. metadata:
  5.   labels:
  6.     app.kubernetes.io/instance: ingress-nginx
  7.     app.kubernetes.io/name: ingress-nginx
  8.   name: ingress-nginx
  9. ---
  10. apiVersion: v1
  11. automountServiceAccountToken: true
  12. kind: ServiceAccount
  13. metadata:
  14.   labels:
  15.     app.kubernetes.io/component: controller
  16.     app.kubernetes.io/instance: ingress-nginx
  17.     app.kubernetes.io/managed-by: Helm
  18.     app.kubernetes.io/name: ingress-nginx
  19.     app.kubernetes.io/part-of: ingress-nginx
  20.     app.kubernetes.io/version: 1.1.2
  21.     helm.sh/chart: ingress-nginx-4.0.18
  22.   name: ingress-nginx
  23.   namespace: ingress-nginx
  24. ---
  25. apiVersion: v1
  26. kind: ServiceAccount
  27. metadata:
  28.   annotations:
  29.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  30.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  31.   labels:
  32.     app.kubernetes.io/component: admission-webhook
  33.     app.kubernetes.io/instance: ingress-nginx
  34.     app.kubernetes.io/managed-by: Helm
  35.     app.kubernetes.io/name: ingress-nginx
  36.     app.kubernetes.io/part-of: ingress-nginx
  37.     app.kubernetes.io/version: 1.1.2
  38.     helm.sh/chart: ingress-nginx-4.0.18
  39.   name: ingress-nginx-admission
  40.   namespace: ingress-nginx
  41. ---
  42. apiVersion: rbac.authorization.k8s.io/v1
  43. kind: Role
  44. metadata:
  45.   labels:
  46.     app.kubernetes.io/component: controller
  47.     app.kubernetes.io/instance: ingress-nginx
  48.     app.kubernetes.io/managed-by: Helm
  49.     app.kubernetes.io/name: ingress-nginx
  50.     app.kubernetes.io/part-of: ingress-nginx
  51.     app.kubernetes.io/version: 1.1.2
  52.     helm.sh/chart: ingress-nginx-4.0.18
  53.   name: ingress-nginx
  54.   namespace: ingress-nginx
  55. rules:
  56. - apiGroups:
  57.   - ""
  58.   resources:
  59.   - namespaces
  60.   verbs:
  61.   - get
  62. - apiGroups:
  63.   - ""
  64.   resources:
  65.   - configmaps
  66.   - pods
  67.   - secrets
  68.   - endpoints
  69.   verbs:
  70.   - get
  71.   - list
  72.   - watch
  73. - apiGroups:
  74.   - ""
  75.   resources:
  76.   - services
  77.   verbs:
  78.   - get
  79.   - list
  80.   - watch
  81. - apiGroups:
  82.   - networking.k8s.io
  83.   resources:
  84.   - ingresses
  85.   verbs:
  86.   - get
  87.   - list
  88.   - watch
  89. - apiGroups:
  90.   - networking.k8s.io
  91.   resources:
  92.   - ingresses/status
  93.   verbs:
  94.   - update
  95. - apiGroups:
  96.   - networking.k8s.io
  97.   resources:
  98.   - ingressclasses
  99.   verbs:
  100.   - get
  101.   - list
  102.   - watch
  103. - apiGroups:
  104.   - ""
  105.   resourceNames:
  106.   - ingress-controller-leader
  107.   resources:
  108.   - configmaps
  109.   verbs:
  110.   - get
  111.   - update
  112. - apiGroups:
  113.   - ""
  114.   resources:
  115.   - configmaps
  116.   verbs:
  117.   - create
  118. - apiGroups:
  119.   - ""
  120.   resources:
  121.   - events
  122.   verbs:
  123.   - create
  124.   - patch
  125. ---
  126. apiVersion: rbac.authorization.k8s.io/v1
  127. kind: Role
  128. metadata:
  129.   annotations:
  130.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  131.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  132.   labels:
  133.     app.kubernetes.io/component: admission-webhook
  134.     app.kubernetes.io/instance: ingress-nginx
  135.     app.kubernetes.io/managed-by: Helm
  136.     app.kubernetes.io/name: ingress-nginx
  137.     app.kubernetes.io/part-of: ingress-nginx
  138.     app.kubernetes.io/version: 1.1.2
  139.     helm.sh/chart: ingress-nginx-4.0.18
  140.   name: ingress-nginx-admission
  141.   namespace: ingress-nginx
  142. rules:
  143. - apiGroups:
  144.   - ""
  145.   resources:
  146.   - secrets
  147.   verbs:
  148.   - get
  149.   - create
  150. ---
  151. apiVersion: rbac.authorization.k8s.io/v1
  152. kind: ClusterRole
  153. metadata:
  154.   labels:
  155.     app.kubernetes.io/instance: ingress-nginx
  156.     app.kubernetes.io/managed-by: Helm
  157.     app.kubernetes.io/name: ingress-nginx
  158.     app.kubernetes.io/part-of: ingress-nginx
  159.     app.kubernetes.io/version: 1.1.2
  160.     helm.sh/chart: ingress-nginx-4.0.18
  161.   name: ingress-nginx
  162. rules:
  163. - apiGroups:
  164.   - ""
  165.   resources:
  166.   - configmaps
  167.   - endpoints
  168.   - nodes
  169.   - pods
  170.   - secrets
  171.   - namespaces
  172.   verbs:
  173.   - list
  174.   - watch
  175. - apiGroups:
  176.   - ""
  177.   resources:
  178.   - nodes
  179.   verbs:
  180.   - get
  181. - apiGroups:
  182.   - ""
  183.   resources:
  184.   - services
  185.   verbs:
  186.   - get
  187.   - list
  188.   - watch
  189. - apiGroups:
  190.   - networking.k8s.io
  191.   resources:
  192.   - ingresses
  193.   verbs:
  194.   - get
  195.   - list
  196.   - watch
  197. - apiGroups:
  198.   - ""
  199.   resources:
  200.   - events
  201.   verbs:
  202.   - create
  203.   - patch
  204. - apiGroups:
  205.   - networking.k8s.io
  206.   resources:
  207.   - ingresses/status
  208.   verbs:
  209.   - update
  210. - apiGroups:
  211.   - networking.k8s.io
  212.   resources:
  213.   - ingressclasses
  214.   verbs:
  215.   - get
  216.   - list
  217.   - watch
  218. ---
  219. apiVersion: rbac.authorization.k8s.io/v1
  220. kind: ClusterRole
  221. metadata:
  222.   annotations:
  223.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  224.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  225.   labels:
  226.     app.kubernetes.io/component: admission-webhook
  227.     app.kubernetes.io/instance: ingress-nginx
  228.     app.kubernetes.io/managed-by: Helm
  229.     app.kubernetes.io/name: ingress-nginx
  230.     app.kubernetes.io/part-of: ingress-nginx
  231.     app.kubernetes.io/version: 1.1.2
  232.     helm.sh/chart: ingress-nginx-4.0.18
  233.   name: ingress-nginx-admission
  234. rules:
  235. - apiGroups:
  236.   - admissionregistration.k8s.io
  237.   resources:
  238.   - validatingwebhookconfigurations
  239.   verbs:
  240.   - get
  241.   - update
  242. ---
  243. apiVersion: rbac.authorization.k8s.io/v1
  244. kind: RoleBinding
  245. metadata:
  246.   labels:
  247.     app.kubernetes.io/component: controller
  248.     app.kubernetes.io/instance: ingress-nginx
  249.     app.kubernetes.io/managed-by: Helm
  250.     app.kubernetes.io/name: ingress-nginx
  251.     app.kubernetes.io/part-of: ingress-nginx
  252.     app.kubernetes.io/version: 1.1.2
  253.     helm.sh/chart: ingress-nginx-4.0.18
  254.   name: ingress-nginx
  255.   namespace: ingress-nginx
  256. roleRef:
  257.   apiGroup: rbac.authorization.k8s.io
  258.   kind: Role
  259.   name: ingress-nginx
  260. subjects:
  261. - kind: ServiceAccount
  262.   name: ingress-nginx
  263.   namespace: ingress-nginx
  264. ---
  265. apiVersion: rbac.authorization.k8s.io/v1
  266. kind: RoleBinding
  267. metadata:
  268.   annotations:
  269.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  270.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  271.   labels:
  272.     app.kubernetes.io/component: admission-webhook
  273.     app.kubernetes.io/instance: ingress-nginx
  274.     app.kubernetes.io/managed-by: Helm
  275.     app.kubernetes.io/name: ingress-nginx
  276.     app.kubernetes.io/part-of: ingress-nginx
  277.     app.kubernetes.io/version: 1.1.2
  278.     helm.sh/chart: ingress-nginx-4.0.18
  279.   name: ingress-nginx-admission
  280.   namespace: ingress-nginx
  281. roleRef:
  282.   apiGroup: rbac.authorization.k8s.io
  283.   kind: Role
  284.   name: ingress-nginx-admission
  285. subjects:
  286. - kind: ServiceAccount
  287.   name: ingress-nginx-admission
  288.   namespace: ingress-nginx
  289. ---
  290. apiVersion: rbac.authorization.k8s.io/v1
  291. kind: ClusterRoleBinding
  292. metadata:
  293.   labels:
  294.     app.kubernetes.io/instance: ingress-nginx
  295.     app.kubernetes.io/managed-by: Helm
  296.     app.kubernetes.io/name: ingress-nginx
  297.     app.kubernetes.io/part-of: ingress-nginx
  298.     app.kubernetes.io/version: 1.1.2
  299.     helm.sh/chart: ingress-nginx-4.0.18
  300.   name: ingress-nginx
  301. roleRef:
  302.   apiGroup: rbac.authorization.k8s.io
  303.   kind: ClusterRole
  304.   name: ingress-nginx
  305. subjects:
  306. - kind: ServiceAccount
  307.   name: ingress-nginx
  308.   namespace: ingress-nginx
  309. ---
  310. apiVersion: rbac.authorization.k8s.io/v1
  311. kind: ClusterRoleBinding
  312. metadata:
  313.   annotations:
  314.     helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
  315.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  316.   labels:
  317.     app.kubernetes.io/component: admission-webhook
  318.     app.kubernetes.io/instance: ingress-nginx
  319.     app.kubernetes.io/managed-by: Helm
  320.     app.kubernetes.io/name: ingress-nginx
  321.     app.kubernetes.io/part-of: ingress-nginx
  322.     app.kubernetes.io/version: 1.1.2
  323.     helm.sh/chart: ingress-nginx-4.0.18
  324.   name: ingress-nginx-admission
  325. roleRef:
  326.   apiGroup: rbac.authorization.k8s.io
  327.   kind: ClusterRole
  328.   name: ingress-nginx-admission
  329. subjects:
  330. - kind: ServiceAccount
  331.   name: ingress-nginx-admission
  332.   namespace: ingress-nginx
  333. ---
  334. apiVersion: v1
  335. data:
  336.   allow-snippet-annotations: "true"
  337. kind: ConfigMap
  338. metadata:
  339.   labels:
  340.     app.kubernetes.io/component: controller
  341.     app.kubernetes.io/instance: ingress-nginx
  342.     app.kubernetes.io/managed-by: Helm
  343.     app.kubernetes.io/name: ingress-nginx
  344.     app.kubernetes.io/part-of: ingress-nginx
  345.     app.kubernetes.io/version: 1.1.2
  346.     helm.sh/chart: ingress-nginx-4.0.18
  347.   name: ingress-nginx-controller
  348.   namespace: ingress-nginx
  349. ---
  350. apiVersion: v1
  351. kind: Service
  352. metadata:
  353.   labels:
  354.     app.kubernetes.io/component: controller
  355.     app.kubernetes.io/instance: ingress-nginx
  356.     app.kubernetes.io/managed-by: Helm
  357.     app.kubernetes.io/name: ingress-nginx
  358.     app.kubernetes.io/part-of: ingress-nginx
  359.     app.kubernetes.io/version: 1.1.2
  360.     helm.sh/chart: ingress-nginx-4.0.18
  361.   name: ingress-nginx-controller
  362.   namespace: ingress-nginx
  363. spec:
  364.   ipFamilies:
  365.   - IPv4
  366.   ipFamilyPolicy: SingleStack
  367.   ports:
  368.   - appProtocol: http
  369.     name: http
  370.     port: 80
  371.     protocol: TCP
  372.     targetPort: http
  373.   - appProtocol: https
  374.     name: https
  375.     port: 443
  376.     protocol: TCP
  377.     targetPort: https
  378.   selector:
  379.     app.kubernetes.io/component: controller
  380.     app.kubernetes.io/instance: ingress-nginx
  381.     app.kubernetes.io/name: ingress-nginx
  382.   type: ClusterIP # NodePort
  383. ---
  384. apiVersion: v1
  385. kind: Service
  386. metadata:
  387.   labels:
  388.     app.kubernetes.io/component: controller
  389.     app.kubernetes.io/instance: ingress-nginx
  390.     app.kubernetes.io/managed-by: Helm
  391.     app.kubernetes.io/name: ingress-nginx
  392.     app.kubernetes.io/part-of: ingress-nginx
  393.     app.kubernetes.io/version: 1.1.2
  394.     helm.sh/chart: ingress-nginx-4.0.18
  395.   name: ingress-nginx-controller-admission
  396.   namespace: ingress-nginx
  397. spec:
  398.   ports:
  399.   - appProtocol: https
  400.     name: https-webhook
  401.     port: 443
  402.     targetPort: webhook
  403.   selector:
  404.     app.kubernetes.io/component: controller
  405.     app.kubernetes.io/instance: ingress-nginx
  406.     app.kubernetes.io/name: ingress-nginx
  407.   type: ClusterIP
  408. ---
  409. apiVersion: apps/v1
  410. kind: DaemonSet # Deployment
  411. metadata:
  412.   labels:
  413.     app.kubernetes.io/component: controller
  414.     app.kubernetes.io/instance: ingress-nginx
  415.     app.kubernetes.io/managed-by: Helm
  416.     app.kubernetes.io/name: ingress-nginx
  417.     app.kubernetes.io/part-of: ingress-nginx
  418.     app.kubernetes.io/version: 1.1.2
  419.     helm.sh/chart: ingress-nginx-4.0.18
  420.   name: ingress-nginx-controller
  421.   namespace: ingress-nginx
  422. spec:
  423.   minReadySeconds: 0
  424.   revisionHistoryLimit: 10
  425.   selector:
  426.     matchLabels:
  427.       app.kubernetes.io/component: controller
  428.       app.kubernetes.io/instance: ingress-nginx
  429.       app.kubernetes.io/name: ingress-nginx
  430.   template:
  431.     metadata:
  432.       labels:
  433.         app.kubernetes.io/component: controller
  434.         app.kubernetes.io/instance: ingress-nginx
  435.         app.kubernetes.io/name: ingress-nginx
  436.     spec:
  437.       dnsPolicy: ClusterFirstWithHostNet # dns 调整为主机网络 ,原先为 ClusterFirst
  438.       hostNetwork: true # 直接让 nginx 占用本机的 80 和 443 端口,这样就可以使用主机网络
  439.       containers:
  440.       - args:
  441.         - /nginx-ingress-controller
  442.         - --election-id=ingress-controller-leader
  443.         - --controller-class=k8s.io/ingress-nginx
  444.         - --ingress-class=nginx
  445.         - --report-node-internal-ip-address=true
  446.         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
  447.         - --validating-webhook=:8443
  448.         - --validating-webhook-certificate=/usr/local/certificates/cert
  449.         - --validating-webhook-key=/usr/local/certificates/key
  450.         env:
  451.         - name: POD_NAME
  452.           valueFrom:
  453.             fieldRef:
  454.               fieldPath: metadata.name
  455.         - name: POD_NAMESPACE
  456.           valueFrom:
  457.             fieldRef:
  458.               fieldPath: metadata.namespace
  459.         - name: LD_PRELOAD
  460.           value: /usr/local/lib/libmimalloc.so
  461.         image: registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller:v1.1.2 # 修改 k8s.gcr.io/ingress-nginx/controller:v1.1.2@sha256:28b11ce69e57843de44e3db6413e98d09de0f6688e33d4bd384002a44f78405c
  462.         imagePullPolicy: IfNotPresent
  463.         lifecycle:
  464.           preStop:
  465.             exec:
  466.               command:
  467.               - /wait-shutdown
  468.         livenessProbe:
  469.           failureThreshold: 5
  470.           httpGet:
  471.             path: /healthz
  472.             port: 10254
  473.             scheme: HTTP
  474.           initialDelaySeconds: 10
  475.           periodSeconds: 10
  476.           successThreshold: 1
  477.           timeoutSeconds: 1
  478.         name: controller
  479.         ports:
  480.         - containerPort: 80
  481.           name: http
  482.           protocol: TCP
  483.         - containerPort: 443
  484.           name: https
  485.           protocol: TCP
  486.         - containerPort: 8443
  487.           name: webhook
  488.           protocol: TCP
  489.         readinessProbe:
  490.           failureThreshold: 3
  491.           httpGet:
  492.             path: /healthz
  493.             port: 10254
  494.             scheme: HTTP
  495.           initialDelaySeconds: 10
  496.           periodSeconds: 10
  497.           successThreshold: 1
  498.           timeoutSeconds: 1
  499.         resources: # 资源限制
  500.           requests:
  501.             cpu: 100m
  502.             memory: 90Mi
  503.           limits: 
  504.             cpu: 500m
  505.             memory: 500Mi     
  506.         securityContext:
  507.           allowPrivilegeEscalation: true
  508.           capabilities:
  509.             add:
  510.             - NET_BIND_SERVICE
  511.             drop:
  512.             - ALL
  513.           runAsUser: 101
  514.         volumeMounts:
  515.         - mountPath: /usr/local/certificates/
  516.           name: webhook-cert
  517.           readOnly: true
  518.       nodeSelector:
  519.         node-role: ingress # 以后只需要给某个 node 打上这个标签就可以部署 ingress-nginx 到这个节点上了
  520.         # kubernetes.io/os: linux
  521.       serviceAccountName: ingress-nginx
  522.       terminationGracePeriodSeconds: 300
  523.       volumes:
  524.       - name: webhook-cert
  525.         secret:
  526.           secretName: ingress-nginx-admission
  527. ---
  528. apiVersion: batch/v1
  529. kind: Job
  530. metadata:
  531.   annotations:
  532.     helm.sh/hook: pre-install,pre-upgrade
  533.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  534.   labels:
  535.     app.kubernetes.io/component: admission-webhook
  536.     app.kubernetes.io/instance: ingress-nginx
  537.     app.kubernetes.io/managed-by: Helm
  538.     app.kubernetes.io/name: ingress-nginx
  539.     app.kubernetes.io/part-of: ingress-nginx
  540.     app.kubernetes.io/version: 1.1.2
  541.     helm.sh/chart: ingress-nginx-4.0.18
  542.   name: ingress-nginx-admission-create
  543.   namespace: ingress-nginx
  544. spec:
  545.   template:
  546.     metadata:
  547.       labels:
  548.         app.kubernetes.io/component: admission-webhook
  549.         app.kubernetes.io/instance: ingress-nginx
  550.         app.kubernetes.io/managed-by: Helm
  551.         app.kubernetes.io/name: ingress-nginx
  552.         app.kubernetes.io/part-of: ingress-nginx
  553.         app.kubernetes.io/version: 1.1.2
  554.         helm.sh/chart: ingress-nginx-4.0.18
  555.       name: ingress-nginx-admission-create
  556.     spec:
  557.       containers:
  558.       - args:
  559.         - create
  560.         - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
  561.         - --namespace=$(POD_NAMESPACE)
  562.         - --secret-name=ingress-nginx-admission
  563.         env:
  564.         - name: POD_NAMESPACE
  565.           valueFrom:
  566.             fieldRef:
  567.               fieldPath: metadata.namespace
  568.         image: registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1 # k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
  569.         imagePullPolicy: IfNotPresent
  570.         name: create
  571.         securityContext:
  572.           allowPrivilegeEscalation: false
  573.       nodeSelector:
  574.         kubernetes.io/os: linux
  575.       restartPolicy: OnFailure
  576.       securityContext:
  577.         fsGroup: 2000
  578.         runAsNonRoot: true
  579.         runAsUser: 2000
  580.       serviceAccountName: ingress-nginx-admission
  581. ---
  582. apiVersion: batch/v1
  583. kind: Job
  584. metadata:
  585.   annotations:
  586.     helm.sh/hook: post-install,post-upgrade
  587.     helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  588.   labels:
  589.     app.kubernetes.io/component: admission-webhook
  590.     app.kubernetes.io/instance: ingress-nginx
  591.     app.kubernetes.io/managed-by: Helm
  592.     app.kubernetes.io/name: ingress-nginx
  593.     app.kubernetes.io/part-of: ingress-nginx
  594.     app.kubernetes.io/version: 1.1.2
  595.     helm.sh/chart: ingress-nginx-4.0.18
  596.   name: ingress-nginx-admission-patch
  597.   namespace: ingress-nginx
  598. spec:
  599.   template:
  600.     metadata:
  601.       labels:
  602.         app.kubernetes.io/component: admission-webhook
  603.         app.kubernetes.io/instance: ingress-nginx
  604.         app.kubernetes.io/managed-by: Helm
  605.         app.kubernetes.io/name: ingress-nginx
  606.         app.kubernetes.io/part-of: ingress-nginx
  607.         app.kubernetes.io/version: 1.1.2
  608.         helm.sh/chart: ingress-nginx-4.0.18
  609.       name: ingress-nginx-admission-patch
  610.     spec:
  611.       containers:
  612.       - args:
  613.         - patch
  614.         - --webhook-name=ingress-nginx-admission
  615.         - --namespace=$(POD_NAMESPACE)
  616.         - --patch-mutating=false
  617.         - --secret-name=ingress-nginx-admission
  618.         - --patch-failure-policy=Fail
  619.         env:
  620.         - name: POD_NAMESPACE
  621.           valueFrom:
  622.             fieldRef:
  623.               fieldPath: metadata.namespace
  624.         image: registry.cn-hangzhou.aliyuncs.com/google_containers/kube-webhook-certgen:v1.1.1 # k8s.gcr.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
  625.         imagePullPolicy: IfNotPresent
  626.         name: patch
  627.         securityContext:
  628.           allowPrivilegeEscalation: false
  629.       nodeSelector:
  630.         kubernetes.io/os: linux
  631.       restartPolicy: OnFailure
  632.       securityContext:
  633.         fsGroup: 2000
  634.         runAsNonRoot: true
  635.         runAsUser: 2000
  636.       serviceAccountName: ingress-nginx-admission
  637. ---
  638. apiVersion: networking.k8s.io/v1
  639. kind: IngressClass
  640. metadata:
  641.   labels:
  642.     app.kubernetes.io/component: controller
  643.     app.kubernetes.io/instance: ingress-nginx
  644.     app.kubernetes.io/managed-by: Helm
  645.     app.kubernetes.io/name: ingress-nginx
  646.     app.kubernetes.io/part-of: ingress-nginx
  647.     app.kubernetes.io/version: 1.1.2
  648.     helm.sh/chart: ingress-nginx-4.0.18
  649.   name: nginx
  650. spec:
  651.   controller: k8s.io/ingress-nginx
  652. ---
  653. apiVersion: admissionregistration.k8s.io/v1
  654. kind: ValidatingWebhookConfiguration
  655. metadata:
  656.   labels:
  657.     app.kubernetes.io/component: admission-webhook
  658.     app.kubernetes.io/instance: ingress-nginx
  659.     app.kubernetes.io/managed-by: Helm
  660.     app.kubernetes.io/name: ingress-nginx
  661.     app.kubernetes.io/part-of: ingress-nginx
  662.     app.kubernetes.io/version: 1.1.2
  663.     helm.sh/chart: ingress-nginx-4.0.18
  664.   name: ingress-nginx-admission
  665. webhooks:
  666. - admissionReviewVersions:
  667.   - v1
  668.   clientConfig:
  669.     service:
  670.       name: ingress-nginx-controller-admission
  671.       namespace: ingress-nginx
  672.       path: /networking/v1/ingresses
  673.   failurePolicy: Fail
  674.   matchPolicy: Equivalent
  675.   name: validate.nginx.ingress.kubernetes.io
  676.   rules:
  677.   - apiGroups:
  678.     - networking.k8s.io
  679.     apiVersions:
  680.     - v1
  681.     operations:
  682.     - CREATE
  683.     - UPDATE
  684.     resources:
  685.     - ingresses
  686.   sideEffects: None
kubectl apply -f k8s-ingress.yaml

3.gif

第四章 安装 Helm

4.1 概述

  • Helm 是 Kubernetes 的包管理工具,就像 Linux 下的包管理器,如:yum、apt 等,可以很方便的将之前打包好的 yaml 文件部署到 Kubernetes 上。

4.2 安装

  • 下载(网络不行,请点这里附件.zip):
wget https://get.helm.sh/helm-v3.6.3-linux-amd64.tar.gz

4.gif

  • 解压:
tar -zxvf helm-v3.6.3-linux-amd64.tar.gz

5.gif

  • 移动到指定目录:
mv linux-amd64/helm /usr/local/bin/helm

6.gif

  • 命令补全:
helm completion bash | sudo tee /etc/bash_completion.d/helm > /dev/null

source /usr/share/bash-completion/bash_completion

7.gif