Kubernetes kubectl autoscale 命令详解

kubectl autoscale

使用 autoscaler 自动设置在kubernetes集群中运行的pod数量(水平自动伸缩)。

指定Deployment、ReplicaSet或ReplicationController,并创建已经定义好资源的自动伸缩器。使用自动伸缩器可以根据需要自动增加或减少系统中部署的pod数量。

语法

$ autoscale (-f FILENAME | TYPE NAME | TYPE/NAME) [--min=MINPODS] --max=MAXPODS [--cpu-percent=CPU] [flags]

示例

使用 Deployment “foo”设定,使用默认的自动伸缩策略,指定目标CPU使用率,使其Pod数量在2到10之间。

kubectl autoscale deployment foo --min=2 --max=10

使用RC“foo”设定,使其Pod的数量介于1和5之间,CPU使用率维持在80%。

kubectl autoscale rc foo --max=5 --cpu-percent=80

Flags

Name Shorthand Default Usage
allow-missing-template-keys true If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
cpu-percent -1 The target average CPU utilization (represented as a percent of requested CPU) over all the pods. If it's not specified or negative, a default autoscaling policy will be used.
dry-run false If true, only print the object that would be sent, without sending it.
filename f [] Filename, directory, or URL to files identifying the resource to autoscale.
generator horizontalpodautoscaler/v1 The name of the API generator to use. Currently there is only 1 generator.
include-extended-apis true If true, include definitions of new APIs via calls to the API server. [default true]
max -1 The upper limit for the number of pods that can be set by the autoscaler. Required.
min -1 The lower limit for the number of pods that can be set by the autoscaler. If it's not specified or negative, the server will apply a default value.
name The name for the newly created object. If not specified, the name of the input resource will be used.
no-headers false When using the default or custom-column output format, don't print headers (default print headers).
output o Output format. One of: json|yaml|wide|name|custom-columns=...|custom-columns-file=...|go-template=...|go-template-file=...|jsonpath=...|jsonpath-file=... See custom columns [http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns], golang template [http://golang.org/pkg/text/template/#pkg-overview] and jsonpath template [http://kubernetes.io/docs/user-guide/jsonpath].
output-version DEPRECATED: To use a specific API version, fully-qualify the resource, version, and group (for example: 'jobs.v1.batch/myjob').
record false Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
recursive R false Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory.
save-config false If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
show-all a false When printing, show all resources (default hide terminated pods.)
show-labels false When printing, show all labels as the last column (default hide labels column)
sort-by If non-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string.
template Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].

 

K8S中文社区微信公众号

Kubernetes kubectl annotate 命令详解

kubectl annotate

更新一个或多个资源的Annotations信息。

  • Annotations由key/value组成。
  • Annotations的目的是存储辅助数据,特别是通过工具和系统扩展操作的数据,更多介绍在这里
  • 如果--overwrite为true,现有的annotations可以被覆盖,否则试图覆盖annotations将会报错。
  • 如果设置了--resource-version,则更新将使用此resource version,否则将使用原有的resource version。

有效资源类型包括:

  • all
  • certificatesigningrequests (aka 'csr')
  • clusterrolebindings
  • clusterroles
  • clusters (valid only for federation apiservers)
  • componentstatuses (aka 'cs')
  • configmaps (aka 'cm')
  • controllerrevisions
  • cronjobs
  • daemonsets (aka 'ds')
  • deployments (aka 'deploy')
  • endpoints (aka 'ep')
  • events (aka 'ev')
  • horizontalpodautoscalers (aka 'hpa')
  • ingresses (aka 'ing')
  • jobs
  • limitranges (aka 'limits')
  • namespaces (aka 'ns')
  • networkpolicies (aka 'netpol')
  • nodes (aka 'no')
  • persistentvolumeclaims (aka 'pvc')
  • persistentvolumes (aka 'pv')
  • poddisruptionbudgets (aka 'pdb')
  • podpreset
  • pods (aka 'po')
  • podsecuritypolicies (aka 'psp')
  • podtemplates
  • replicasets (aka 'rs')
  • replicationcontrollers (aka 'rc')
  • resourcequotas (aka 'quota')
  • rolebindings
  • roles
  • secrets
  • serviceaccounts (aka 'sa')
  • services (aka 'svc')
  • statefulsets
  • storageclasses
  • thirdpartyresources

语法

$ annotate [--overwrite] (-f FILENAME | TYPE NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--resource-version=version]

示例

更新Pod“foo”,设置annotation “description”的value “my frontend”,如果同一个annotation多次设置,则只使用最后设置的value值。

kubectl annotate pods foo description='my frontend'

根据“pod.json”中的type和name更新pod的annotation

kubectl annotate -f pod.json description='my frontend'

更新Pod"foo",设置annotation“description”的value“my frontend running nginx”,覆盖现有的值。

kubectl annotate --overwrite pods foo description='my frontend running nginx'

更新 namespace中的所有pod

kubectl annotate pods --all description='my frontend running nginx'

只有当resource-version为1时,才更新pod ' foo '。

kubectl annotate pods foo description='my frontend running nginx' --resource-version=1

通过删除名为“description”的annotations来更新pod ' foo '。#不需要- overwrite flag。

kubectl annotate pods foo description-

Flags

Name Shorthand Default Usage
all false select all resources in the namespace of the specified resource types
allow-missing-template-keys true If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
dry-run false If true, only print the object that would be sent, without sending it.
filename f [] Filename, directory, or URL to files identifying the resource to update the annotation
include-extended-apis true If true, include definitions of new APIs via calls to the API server. [default true]
local false If true, annotation will NOT contact api-server but run locally.
no-headers false When using the default or custom-column output format, don't print headers (default print headers).
output o Output format. One of: json|yaml|wide|name|custom-columns=...|custom-columns-file=...|go-template=...|go-template-file=...|jsonpath=...|jsonpath-file=... See custom columns [http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns], golang template [http://golang.org/pkg/text/template/#pkg-overview] and jsonpath template [http://kubernetes.io/docs/user-guide/jsonpath].
output-version DEPRECATED: To use a specific API version, fully-qualify the resource, version, and group (for example: 'jobs.v1.batch/myjob').
overwrite false If true, allow annotations to be overwritten, otherwise reject annotation updates that overwrite existing annotations.
record false Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
recursive R false Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory.
resource-version If non-empty, the annotation update will only succeed if this is the current resource-version for the object. Only valid when specifying a single resource.
selector l Selector (label query) to filter on, supports '=', '==', and '!='.
show-all a false When printing, show all resources (default hide terminated pods.)
show-labels false When printing, show all labels as the last column (default hide labels column)
sort-by If non-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string.
template Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
K8S中文社区微信公众号

Kubernetes kubectl expose命令详解

kubectl expose

将资源暴露为新的Kubernetes Service。

指定deployment、service、replica setreplication controllerpod ,并使用该资源的选择器作为指定端口上新服务的选择器。deployment 或 replica set只有当其选择器可转换为service支持的选择器时,即当选择器仅包含matchLabels组件时才会作为暴露新的Service。

资源包括(不区分大小写):

pod(po),service(svc),replication controller(rc),deployment(deploy),replica set(rs)

语法

$ expose (-f FILENAME | TYPE NAME) [--port=port] [--protocol=TCP|UDP] [--target-port=number-or-name] [--name=name] [--external-ip=external-ip-of-service] [--type=type]

示例

为RC的nginx创建service,并通过Service的80端口转发至容器的8000端口上。

kubectl expose rc nginx --port=80 --target-port=8000

由“nginx-controller.yaml”中指定的type和name标识的RC创建Service,并通过Service的80端口转发至容器的8000端口上。

kubectl expose -f nginx-controller.yaml --port=80 --target-port=8000

其它详细说明

Name Shorthand Default Usage
allow-missing-template-keys true If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
cluster-ip ClusterIP to be assigned to the service. Leave empty to auto-allocate, or set to 'None' to create a headless service.
container-port Synonym for --target-port
dry-run false If true, only print the object that would be sent, without sending it.
external-ip Additional external IP address (not managed by Kubernetes) to accept for the service. If this IP is routed to a node, the service can be accessed by this IP in addition to its generated service IP.
filename f [] Filename, directory, or URL to files identifying the resource to expose a service
generator service/v2 The name of the API generator to use. There are 2 generators: 'service/v1' and 'service/v2'. The only difference between them is that service port in v1 is named 'default', while it is left unnamed in v2. Default is 'service/v2'.
labels l Labels to apply to the service created by this call.
load-balancer-ip IP to assign to the Load Balancer. If empty, an ephemeral IP will be created and used (cloud-provider specific).
name The name for the newly created object.
no-headers false When using the default or custom-column output format, don't print headers (default print headers).
output o Output format. One of: json|yaml|wide|name|custom-columns=...|custom-columns-file=...|go-template=...|go-template-file=...|jsonpath=...|jsonpath-file=... See custom columns [http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns], golang template [http://golang.org/pkg/text/template/#pkg-overview] and jsonpath template [http://kubernetes.io/docs/user-guide/jsonpath].
output-version DEPRECATED: To use a specific API version, fully-qualify the resource, version, and group (for example: 'jobs.v1.batch/myjob').
overrides An inline JSON override for the generated object. If this is non-empty, it is used to override the generated object. Requires that the object supply a valid apiVersion field.
port The port that the service should serve on. Copied from the resource being exposed, if unspecified
protocol The network protocol for the service to be created. Default is 'TCP'.
record false Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
recursive R false Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory.
save-config false If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
selector A label selector to use for this service. Only equality-based selector requirements are supported. If empty (the default) infer the selector from the replication controller or replica set.)
session-affinity If non-empty, set the session affinity for the service to this; legal values: 'None', 'ClientIP'
show-all a false When printing, show all resources (default hide terminated pods.)
show-labels false When printing, show all labels as the last column (default hide labels column)
sort-by If non-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string.
target-port Name or number for the port on the container that the service should direct traffic to. Optional.
template Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
type Type for this service: ClusterIP, NodePort, or LoadBalancer. Default is 'ClusterIP'.

 

K8S中文社区微信公众号

Kubernetes kubectl run 命令详解

kubectl run

  • 创建并运行一个或多个容器镜像。
  • 创建一个deployment 或job 来管理容器。

语法:

$ run NAME --image=image [--env="key=value"] [--port=port] [--replicas=replicas] [--dry-run=bool] [--overrides=inline-json] [--command] -- [COMMAND] [args...]

示例:

启动nginx实例。

kubectl run nginx --image=nginx

启动hazelcast实例,暴露容器端口 5701。

kubectl run hazelcast --image=hazelcast --port=5701

启动hazelcast实例,在容器中设置环境变量“DNS_DOMAIN = cluster”和“POD_NAMESPACE = default”。

kubectl run hazelcast --image=hazelcast --env="DNS_DOMAIN=cluster" --env="POD_NAMESPACE=default"

启动nginx实例,设置副本数5。

kubectl run nginx --image=nginx --replicas=5

运行 Dry  打印相应的API对象而不创建它们。

kubectl run nginx --image=nginx --dry-run

其它详细说明

Name Shorthand Default Usage
allow-missing-template-keys true If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
attach false If true, wait for the Pod to start running, and then attach to the Pod as if 'kubectl attach ...' were called. Default false, unless '-i/--stdin' is set, in which case the default is true. With '--restart=Never' the exit code of the container process is returned.
command false If true and extra arguments are present, use them as the 'command' field in the container, rather than the 'args' field which is the default.
dry-run false If true, only print the object that would be sent, without sending it.
env [] Environment variables to set in the container
expose false If true, a public, external service is created for the container(s) which are run
generator The name of the API generator to use, see http://kubernetes.io/docs/user-guide/kubectl-conventions/#generators for a list.
hostport -1 The host port mapping for the container port. To demonstrate a single-machine container.
image The image for the container to run.
image-pull-policy The image pull policy for the container. If left empty, this value will not be specified by the client and defaulted by the server
include-extended-apis true If true, include definitions of new APIs via calls to the API server. [default true]
labels l Labels to apply to the pod(s).
leave-stdin-open false If the pod is started in interactive mode or with stdin, leave stdin open after the first attach completes. By default, stdin will be closed after the first attach completes.
limits The resource requirement limits for this container. For example, 'cpu=200m,memory=512Mi'. Note that server side components may assign limits depending on the server configuration, such as limit ranges.
no-headers false When using the default or custom-column output format, don't print headers (default print headers).
output o Output format. One of: json|yaml|wide|name|custom-columns=...|custom-columns-file=...|go-template=...|go-template-file=...|jsonpath=...|jsonpath-file=... See custom columns [http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns], golang template [http://golang.org/pkg/text/template/#pkg-overview] and jsonpath template [http://kubernetes.io/docs/user-guide/jsonpath].
output-version DEPRECATED: To use a specific API version, fully-qualify the resource, version, and group (for example: 'jobs.v1.batch/myjob').
overrides An inline JSON override for the generated object. If this is non-empty, it is used to override the generated object. Requires that the object supply a valid apiVersion field.
pod-running-timeout 1m0s The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running
port The port that this container exposes. If --expose is true, this is also the port used by the service that is created.
quiet false If true, suppress prompt messages.
record false Record current kubectl command in the resource annotation. If set to false, do not record the command. If set to true, record the command. If not set, default to updating the existing annotation value only if one already exists.
replicas r 1 Number of replicas to create for this container. Default is 1.
requests The resource requirement requests for this container. For example, 'cpu=100m,memory=256Mi'. Note that server side components may assign requests depending on the server configuration, such as limit ranges.
restart Always The restart policy for this Pod. Legal values [Always, OnFailure, Never]. If set to 'Always' a deployment is created, if set to 'OnFailure' a job is created, if set to 'Never', a regular pod is created. For the latter two --replicas must be 1. Default 'Always', for CronJobs Never.
rm false If true, delete resources created in this command for attached containers.
save-config false If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future.
schedule A schedule in the Cron format the job should be run with.
service-generator service/v2 The name of the generator to use for creating a service. Only used if --expose is true
service-overrides An inline JSON override for the generated service object. If this is non-empty, it is used to override the generated object. Requires that the object supply a valid apiVersion field. Only used if --expose is true.
show-all a false When printing, show all resources (default hide terminated pods.)
show-labels false When printing, show all labels as the last column (default hide labels column)
sort-by If non-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string.
stdin i false Keep stdin open on the container(s) in the pod, even if nothing is attached.
template Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview].
tty t false Allocated a TTY for each container in the pod.
K8S中文社区微信公众号

使用kubeadm创建Kubernetes集群

这个快速入门向您展示了如何在Ubuntu 16.04+,CentOS 7或HypriotOS v1.0.1 +的机器上轻松安装Kubernetes群集。这次我们通过kubeadm工具来安装,它从1.4版本就被增加到k8s安装包。从v1.6开始,kubeadm可以通过RBAC等机制创建一个安全的集群。

此安装教程可以在本地虚拟机,物理服务器或云服务器上使用。也可以轻松地将kubeadn集成到自动化工具(Terraform,Chef,Puppet等)中。

有关所有kubeadm命令行行信息,以及有关自动化kubeadm建议,请参考官网原文kubeadm参考

  • 在GCE上,Google Container Engine 可以一键点击创建Kubernetes群集。
  • 在AWS上,kops使集群安装和管理更加方便。kops支持高可用性集群构建。

kubeadm Maturity

Aspect Maturity Level
Command line UX beta
Config file alpha
Selfhosting alpha
kubeadm alpha commands alpha
Implementation alpha

准备

  1. 多台Ubuntu 16.04+、CentOS 7或HypriotOS v1.0.1 + 系统
  2. 每台机器最少1GB+内存
  3. 集群中所有机器之间网络连接正常

目标

  • 在您的机器上安装一个安全的Kubernetes集群
  • 在群集上安装pod网络,以便应用组件(pod)可以相互通信
  • 在集群上安装一个微服务应用示例

步骤

(1/4)在主机上安装kubeadm

参考之前文章:安装 kubeadn 

(2/4)初始化 master

master 是控制组件运行的机器,包括etcd和API Server等(使用kubectl CLI与之通信启动)。

选择之前安装有kubeadm一台机器,运行以下命令来初始化master:

kubeadm init

注意:

  • - 你需要在下一步中选择一个Pod Network Plugin。
  • - 这将自动检测网络接口,并且将master节点上网卡设备设置成默认网关。如果要使用其他网卡设备,请执行kubeadm init命令增加--apiserver-advertise-address=<ip-address>参数。

kubeadm init命令执行完后需要几分钟时间下载集群控制组件。

请不要运行两次kubeadm init命令,除非从V1.6升级到v1.7,请参阅Tear Down

输出如下所示:

[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[init] Using Kubernetes version: v1.7.0
[init] Using Authorization modes: [Node RBAC]
[preflight] Running pre-flight checks
[preflight] Starting the kubelet service
[certificates] Generated CA certificate and key.
[certificates] Generated API server certificate and key.
[certificates] API Server serving cert is signed for DNS names [kubeadm-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 10.138.0.4]
[certificates] Generated API server kubelet client certificate and key.
[certificates] Generated service account token signing key and public key.
[certificates] Generated front-proxy CA certificate and key.
[certificates] Generated front-proxy client certificate and key.
[certificates] Valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"
[apiclient] Created API client, waiting for the control plane to become ready
[apiclient] All control plane components are healthy after 16.502136 seconds
[token] Using token: <token>
[apiconfig] Created RBAC rules
[addons] Applied essential addon: kube-proxy
[addons] Applied essential addon: kube-dns

Your Kubernetes master has initialized successfully!

To start using your cluster, you need to run (as a regular user):

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  http://kubernetes.io/docs/admin/addons/

You can now join any number of machines by running the following on each node
as root:

  kubeadm join --token <token> <master-ip>:<master-port>

创建kubeadm init输出的kubeadm join命令中,需要输入token参数。

token用于master节点和 joining nodes之间的相互认证。这里包含的token是secret,保证安全——通过token参数可以确保将被授权的节点添加到kubernetes集群中。可以使用kubeadm token命令listed、created和deleted这些token。

(3/4)安装pod网络

pod网络插件是必要安装,以便pod可以相互通信。

在部署应用和启动kube-dns之前,需要部署网络,kubeadm仅支持CNI的网络(不支持kubenet)。

网络插件完整列表,请参考 add-ons page

Kubernetes1.6的新功能: 在默认情况下,kubeadm 1.6建立了一个更安全的集群。因此,它使用RBAC向集群上运行的工作负载授予有限的权限。这包括集成网络。所以你需要确保网络系统已经更新为1.6。

使用以下命令安装pod网络插件:

kubectl apply -f <add-on.yaml>

注意:每个群集只能安装一种 pod网络。

第三方Pod Network Provider的安装说明。

1、Calico

Calico官方指南在这里

注意: - 为了使网络正常运行,执行kubeadm init命令时需要增加--pod-network-cidr=192.168.0.0/16参数-  Calico只适用amd64上工作。

kubectl apply -f http://docs.projectcalico.org/v2.4/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml

2、Canal

官方Canal设置指南在这里

注意: - 要使Canal正常工作,执行kubeadm init命令时需要增加--pod-network-cidr=10.244.0.0/16参数--。- Canal只适用amd64上工作。

kubectl apply -f https://raw.githubusercontent.com/projectcalico/canal/master/k8s-install/1.6/rbac.yaml
kubectl apply -f https://raw.githubusercontent.com/projectcalico/canal/master/k8s-install/1.6/canal.yaml

3、Flannel

注意: - 为了使Flannel正常工作,执行kubeadm init命令时需要增加----pod-network-cidr=10.244.0.0/16参数。-Flannel适用于amd64,arm,arm64和ppc64le上工作,但使用除amd64平台得其他平台,你必须手动下载并替换amd64。

kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel-rbac.yml

4、Romana

Romana官方指南在这里

注意: Romana只适用amd64上工作。

kubectl apply -f https://raw.githubusercontent.com/romana/romana/master/containerize/specs/romana-kubeadm.yml

5、Weave Net

Weave Net官方设置指南在这里

注:Weave Net适用arm和arm64上工作。

export kubever=$(kubectl version | base64 | tr -d '\n')
kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$kubever"

pod网络安装完成后,需要检查kube-dns pod是否运行,通过命令kubectl get pods --all-namespaces的输出来确认网络是否正常工作。

如果网络不工作或者kube-dns未处于运行状态,请查看故障排除部分

Master 隔离

默认情况下,由于安全原因,集群不会将pod安排在Master服务器上。如果你希望能够将pod放到Master服务器上,例如,单机Kubernetes集群用于开发,请运行:

kubectl taint nodes --all node-role.kubernetes.io/master-

输出:

node "test-01" untainted
taint key="dedicated" and effect="" not found.
taint key="dedicated" and effect="" not found.

(4/4)加工作节点

要为群集添加工作节点,请为每台计算机执行以下操作:

  • SSH到机器
  • 成为root用户
  • 运行输出的命令kubeadm init。例如: 
    kubeadm join --token <token> <master-ip>:<master-port>

输出:

[kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters.
[preflight] Running pre-flight checks
[discovery] Trying to connect to API Server "10.138.0.4:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://10.138.0.4:6443"
[discovery] Cluster info signature and contents are valid, will use API Server "https://10.138.0.4:6443"
[discovery] Successfully established connection with API Server "10.138.0.4:6443"
[bootstrap] Detected server version: v1.7.0
[bootstrap] The server supports the Certificates API (certificates.k8s.io/v1beta1)
[csr] Created API client to obtain unique certificate for this node, generating keys and certificate signing request
[csr] Received signed certificate from the API server, generating KubeConfig...
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"

Node join complete:
* Certificate signing request sent to master and response
  received.
* Kubelet informed of new secure connection details.

Run 'kubectl get nodes' on the master to see this machine join.

几秒钟后,在master节点上运行kubectl get nodes命令,会显示所有已添加到集群中的节点主机。

(可选)在master以外的机器上控制集群

需要将kubeconfig文件从master节点上复制到工作节点,如下所示:

scp root@<master ip>:/etc/kubernetes/admin.conf .
kubectl --kubeconfig ./admin.conf get nodes

注意:如果使用GCE,默认情况下禁用ssh访问root,这种情况你需要登录到机器,将文件复制到可访问的地方,然后再使用 gcloud compute copy-files

(可选)Proxying API Server to localhost

如果要从群集外部连接到API Server,可以使用 kubectl proxy:

scp root@<master ip>:/etc/kubernetes/admin.conf .
kubectl --kubeconfig ./admin.conf proxy

你现在可以在本地访问API Server http://localhost:8001/api/v1

(可选)安装示例应用

Sock Shop是一个微服务应用示例,显示如何在Kubernetes上运行和连接一组服务。要了解微服务应用的更多信息,请参考GitHub README

注意,Sock Shop演示仅适用于amd64。

kubectl create namespace sock-shop
kubectl apply -n sock-shop -f "https://github.com/microservices-demo/microservices-demo/blob/master/deploy/kubernetes/complete-demo.yaml?raw=true"
kubectl -n sock-shop get svc front-end

示例输出:

NAME        CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
front-end   10.110.250.153   <nodes>       80:30001/TCP   59s

下载并启动所有容器需要几分钟的时间,通过kubectl get pods -n sock-shop命令查看示例应用信息。

在浏览器通过http://<master_ip>:<port>访问,需要指定端口和Master节点IP地址,本例端口30001,IP 10.110.250.153 。

如果有防火墙,请确保该端口能够使用访问。

卸载socks shop,在master上运行命令:kubectl delete namespace sock-shop。

卸载

要卸载kubeadm功能。

运行:

kubectl drain <node name> --delete-local-data --force --ignore-daemonsets
kubectl delete node <node name>

然后,在要删除的节点上,重置所有kubeadm安装状态:

kubeadm reset

升级

有关kubeadm群集升级说明可在这里找到 。

查看其他插件

请参考list of add-ons,以查看其他插件,包括日志,监控,网络策略,可视化和控制Kubernetes集群的工具。

下一步

版本偏差策略

版本vX.Y的kubeadm CLI工具可以部署具有版本vX.Y或vX。(Y-1)的群集。kubeadm CLI vX.Y还可以升级现有的kubeadm创建的版本vX。(Y-1)。

以后未来情况:kubeadm CLI vX.Y可以或无法部署vX。(Y + 1)集群。

示例:kubeadm v1.7可以部署v1.6和v1.7群集,并将v1.6 kubeadm创建的群集升级到v1.7。

kubeadm 多平台

可以使用针对amd64,arm(32位),arm64,ppc64le和s390x构建kubeadm deb / rpm软件包和二进制文件。

K8S中文社区微信公众号

Kubernetes 安装 kubeadm

事先准备

  • 多台Ubuntu 16.04+、CentOS 7或HypriotOS v1.0.1 + 系统
  • 每台机器最少1GB+内存
  • 集群中所有机器之间网络连接正常
  • 每个节点有唯一MAC地址和product_uuid
  • 打开某些端口。请参阅以下部分

检查所需端口

Master节点

端口范围 用途
6443 * Kubernetes API server
2379-2380 etcd server client API
10250 Kubelet API
10251 kube-scheduler
10252 kube-controller-manager
10255 Read-only Kubelet API (Heapster)

工作节点

端口范围 用途
10250 Kubelet API
10255 Read-only Kubelet API (Heapster)
30000-32767 NodePort Services默认端口范围。

Docker 安装

在机器安装Docker,推荐使用1.12 版本(v1.10和v1.11也可以正常使用),1.13和17.03+版本未经过Kubernetes团队的测试和验证。有关安装说明,请参阅Docker官方文档 Docker安装

kubectl 安装

在所有机器上安装kubectl,可参考: kubectl安装

kubelet和kubeadm 安装

在所有机器上安装以下软件包:

  • kubelet
  • kubeadm

注意:如果机器上已经安装了kubeadm,则应需要apt-get update && apt-get upgrade或者yum update获得最新版本的kubeadm。如果想了解不同版本的kubeadm,请参考

配置机器:

  • SSH登录主机。
  • 如果使用的是Ubuntu或HypriotOS,请运行:
apt-get update && apt-get install -y apt-transport-https
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
EOF
apt-get update
apt-get install -y kubelet kubeadm
  • 如果使用的是CentOS,请运行: 
    cat <<EOF > /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
        https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
EOF
setenforce 0
yum install -y kubelet kubeadm
systemctl enable kubelet && systemctl start kubelet

    执行完后,kubelet会进入每隔几秒重新启动一次的循环模式,因为kubelet在等待kubeadm发出的命令。

    注意:必须使用运行setenforce 0命令来禁用SELinux,因为需要允许容器访问主机文件系统,这是配置pod网络所要求的。(直到kubelet中对SELinux支持得到改进)

下一步是什么

K8S中文社区微信公众号