iT邦幫忙

2019 iT 邦幫忙鐵人賽

DAY 16
1
Kubernetes

在地端建置Angular+ASP.NET Core的DevOps環境系列 第 16

day16_k8s02_用kubeadm建k8s cluster

在有限的時間底下,我試了幾個網路上建k8s的方式(文章、專案、課程影片)
終於成功了2項
不過還是minikube的元件比較完整

先講重點:

今天是用這個專案,可以很簡單的建k8s cluster
https://github.com/wardviaene/on-prem-or-cloud-agnostic-kubernetes
下面只是個人筆記而已

這一篇看起來很厲害,也很新,但我還沒試

小弟在udemy有買的kubernetes課程主要有3門,好像都不是免費的
(買好幾個月了都沒看)
感謝鐵人賽,讓我有動機去看它

參加鐵人賽真的會push你去學習

  • Learn DevOps: The Complete Kubernetes Course(只有這門有kubeadm,實作只有15分鐘)
    Docker、AWS、minikube、kubeadm
    老師 Edward Viaene 的 github
    https://github.com/wardviaene?tab=repositories
    跟k8s有關的專案(都有課程網址)

https://github.com/wardviaene/advanced-kubernetes-course
https://github.com/wardviaene/kubernetes-course
https://github.com/wardviaene/on-prem-or-cloud-agnostic-kubernetes

  • Docker and Kubernetes: The Complete Guide
    Docker(篇幅超過一半)、AWS、minikube
  • Kubernetes Course from a DevOps guru (Kubernetes + Docker...
    Docker、minikube、AWS

剛好都沒GCP的~

Kubeadm工具簡介

  • 支援Ubuntu、Debian(macOS、樹莓Pi)、Redhat、CentOS
  • 支援bootstrap tokens
    可以用來建cluster或 join nodes
    token長得像這樣 abcdef.0123456789abcdef
  • 支援upgrading/downgrading clusters
  • 沒有networking solution
    要自己安裝一個Container Network Interface(CNI)
    然後用kubectl指令去套用它
  • node之間的網路可用
    private network
    public routable internet IP addresses(firewall要設好)

https://docs.projectcalico.org/v3.1/getting-started/kubernetes/

Firewall rule:
Inbound rules(外部 >> firewall >> 內部)
SSH TCP 22 管理者ip
All TCP All ports kubenetes-cluster (cluster之間port全開)
All UDP All ports kubenetes-cluster

Outbound Rules:(外部 << firewall << 內部)
ICMP
TCP、UDP All ports全開

有關Firewall基本觀念請參考:
http://www.tsnien.idv.tw/Security_WebBook/第十章%20防火牆.html
為了實作方便,把Firewall關掉就好了

主機名稱:

kubenetes-master 192.168.240.144

$ sudo su # 偷懶用root操作
$ sudo swapoff -a # 暫時停掉swap(重開機就又啟用了)
$ sudo sed -i '/ swap / s/^/#/' /etc/fstab # 刪掉有swap那一列,刪完重開機
$ git clone https://github.com/wardviaene/on-prem-or-cloud-agnostic-kubernetes.git

簡單的說,建個2vm,clone專案,分別跑script即可

  • master node
    install-kubernetes.sh
    create-user.sh
  • worker node
    install-node.sh
    create-user.sh
$ git clone https://github.com/wardviaene/on-prem-or-cloud-agnostic-kubernetes
$ cd on-prem-or-cloud-agnostic-kubernetes/scripts/install-kubernetes.sh
#!/bin/bash
echo "installing docker"
apt-get update
apt-get install -y \
    apt-transport-https \
    ca-certificates \
    curl \
    software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
add-apt-repository \
   "deb https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
   $(lsb_release -cs) \
   stable"
# 安裝docker
apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}')

echo "installing kubernetes"
apt-get update && apt-get install -y apt-transport-https
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
EOF
apt-get update
# 安裝3個k8s重要工具
apt-get install -y kubelet kubeadm kubectl

# 兩種CNI讓你選
# DigitalOcean without firewall (IP-in-IP allowed) - or any other cloud / on-prem that supports IP-in-IP traffic
# echo "deploying kubernetes (with calico)..."
# kubeadm init --pod-network-cidr=192.168.0.0/16 # add --apiserver-advertise-address="ip" if you want to use a different IP address than the main server IP
# export KUBECONFIG=/etc/kubernetes/admin.conf
# kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml
# kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml

# DigitalOcean with firewall (VxLAN with Flannel) - could be resolved in the future by allowing IP-in-IP in the firewall settings
echo "deploying kubernetes (with canal)..."
kubeadm init --pod-network-cidr=10.244.0.0/16 # add --apiserver-advertise-address="ip" if you want to use a different IP address than the main server IP

$ vim ~/.bash_profile
# 加這一行
export KUBECONFIG=/etc/kubernetes/admin.conf
$ source ~/.bash_profile
# 否則會遇到
The connection to the server localhost:8080 was refused - did you specify the right host or port?
好像是因為…
1、還沒有設定要連到哪個 k8s 叢集
2、api還沒設好

# Calico Roles、Flannel Roles
kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/rbac.yaml
# calico-cni-plugin
kubectl apply -f https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/hosted/canal/canal.yaml

# 會出現這一組通關口令,要給node輸入的
kubeadm join 206.189.117.170:6443 --token diss1m.ym38vsquphhzbiv9
  --discovery-token-ca-cert-hash sha256:12341as13sxc....23wsv

kubenetes-node-01 192.168.240.145

ip隨便取的,看你的vm ip多少

$ ./scripts/install-node.sh
#!/bin/bash
echo "installing docker"
apt-get update
apt-get install -y \
    apt-transport-https \
    ca-certificates \
    curl \
    software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
add-apt-repository \
   "deb https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") \
   $(lsb_release -cs) \
   stable"
apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}')

echo "installing kubeadm and kubectl"
apt-get update && apt-get install -y apt-transport-https
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
EOF
apt-get update
apt-get install -y kubelet kubeadm kubectl

加到cluster

$ kubeadm join 192.168.240.144:6443 --token z7nuf4.wy7yntvera1f2n2l --discovery-token-ca-cert-hash sha256:36b0aeceff2a6db45425e0f16b784db91535826ff0c82d7d7446991b2ad85f66
# 驗證看看
$ kubectl get nodes 

參考:
https://docs.projectcalico.org/v3.1/getting-started/kubernetes/installation/calico
-Calico為容器和虛擬機工作負載提供安全的網絡連接。
-Calico創建並管理平面第3層網絡,為每個工作負載分配完全可路由的IP地址。 工作負載可以在沒有IP封裝或網絡地址轉換的情況下進行通信,以實現裸機性能,簡化故障排除和更好的互操作性。 在需要覆蓋的環境中,Calico使用IP-in-IP隧道技術,或者可以與法蘭絨等其他覆蓋網絡配合使用。
-Calico還提供網絡安全規則的動態實施。 使用Calico的簡單策略語言,您可以實現對容器,虛擬機工作負載和裸機主機端點之間通信的細粒度控制。

node join成功後

這個在kubernetes-master跟kubernetes-node-01執行
create-user.sh

#!/bin/bash
groupadd ubuntu
useradd -g ubuntu -G admin -s /bin/bash -d /home/ubuntu ubuntu
mkdir -p /home/ubuntu
cp -r /root/.ssh /home/ubuntu/.ssh
chown -R ubuntu:ubuntu /home/ubuntu
echo "ubuntu ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers

# create .kube/config
mkdir -p ~ubuntu/.kube
cp -i /etc/kubernetes/admin.conf ~ubuntu/.kube/config # 把設定檔copy到ubuntu(帳號)裡面
chown ubuntu:ubuntu ~ubuntu/.kube/config

$ ssh 192.168.240.144 -l root -i ~/.ssh/xxx.pem

建完就可以改用ubuntu這個帳號囉

$ ssh 192.168.240.144 -l ubuntu -i ~/.ssh/xxx.pem

在master底下試玩

$ kubectl run helloworld --image=k8s.gcr.io/echoserver:lts --port=8080
$ kubectl get pods
# 建個service
$ kubectl expose deployment helloworld --type=NodePort 
$ kubectl get svc

在外網試

$ curl 192.168.240.144:31117 # 假設 node-01的pod expose出來的是31117
$ curl 192.168.240.144:31117/directory

=======

附錄一、kubuadm init

root@k8s-m1:/etc/kubernetes/manifests# kubeadm init --pod-network-cidr=10.244.0.0/16

[init] using Kubernetes version: v1.12.1
...

Your Kubernetes master has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
 mkdir -p $HOME/.kube
 sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
 sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
 https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of machines by running the following on each node
as root:
# 這一串很重要,要保留下來
$ kubeadm join 192.168.240.144:6443 --token z7nuf4.wy7yntvera1f2n2l --discovery-token-ca-cert-hash sha256:36b0aeceff2a6db45425e0f16b784db91535826ff0c82d7d7446991b2ad85f66

結語

「今天」大概是比較有成就感的一集
「明天」會介紹另Kyle Bai大的專案kube-ansible
「後天」開始會進入kubernetes較理論的學習筆記(打高空)

小弟本來試圖想把kube-ansible的roles看懂,但很多都看不懂
目前在學ansible,並寫成筆記
「最後幾天」會介紹常用的modules跟roles

閒聊一下:
「昨天」google到gitlab+kubernetes
https://about.gitlab.com/solutions/kubernetes/
是 for GKE 的
https://docs.gitlab.com/ee/topics/autodevops/

就想說可不可以用local端的gitlab 去自動佈署到 minikube (CI/CD)
https://docs.gitlab.com/ee/topics/autodevops/
https://about.gitlab.com/pricing/gitlab-com/feature-comparison/

不過也是卡關
1、授權:很多功能好像都要付費,甚至是放到Silver、Gold
2、google「gitlab devops minikube」,只有非常少的資料,只有有人在試,而且沒成功的提問

如果有明確的消息,歡迎大大們留言


上一篇
day15_k8s01_kubeadm失敗筆記+文章導讀
下一篇
day17_k8s03_利用ansible建k8s cluster
系列文
在地端建置Angular+ASP.NET Core的DevOps環境31

尚未有邦友留言

立即登入留言