Ubuntu18.04 搭建 k8s

2021-02-12

字数统计: 5.8k字 | 阅读时长≈ 31分

Ubuntu18.04 搭建 k8s

微服务是一种架构思想，实际的开发采用分布式系统开发，分布式系统开发就一定会遇到四个问题。

服务之间如何访问
这么多服务如何管理
服务挂了怎么办

微服务架构，是为了实现三大指标: 高可用、高性能、高并发

负载均衡：能够实现轮询
集群：必须要实现数据同步，Redis
高可用：一直可以用，必须实现崩溃恢复，必须奇数部署，方便选举

Ubuntu基础配置

时区统一

1	dpkg-reconfigure tzdata

时间统一

1	apt install ntpdate

设置系统时间与网络时间同步

1	ntpdate cn.pool.ntp.org

将系统时间写入硬件时间

1	hwclock --systohc

IPVS IP虚拟服务器

1	apt install -y ipset ipvsadm

创建配置并加载IPVS模块

mkdir -p /etc/sysconfig/modules/
vi /etc/sysconfig/modules/ipvs.modules

#!/bin/bash
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4

# 执行脚本，注意：如果重启则需要重新运行该脚本
chmod 755 /etc/sysconfig/modules/ipvs.modules && bash /etc/sysconfig/modules/ipvs.modules && lsmod | grep -e ip_vs -e nf_conntrack_ipv4

配置内核参数

vi /etc/sysctl.d/k8s.conf

# 输入如下内容
net.bridge.bridge-nf-call-ip6tables = 1
# 表示 bridge 设备在二层转发时也去调用 iptables 配置的三层规则 
net.bridge.bridge-nf-call-iptables = 1
# 此参数表示是否允许服务绑定一个本机不存在的IP地址
net.ipv4.ip_nonlocal_bind = 1
# 端口转发
net.ipv4.ip_forward = 1
# 最大限度使用物理内存 (k8s 建议使用)
vm.swappiness=0

# 应用参数
sysctl --system

# 应用参数输出如下
* Applying /etc/sysctl.d/k8s.conf ...
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.ip_forward = 1
vm.swappiness = 0
* Applying /etc/sysctl.conf ...
net.ipv4.ip_forward = 1

用户

启用ssh
apt-get install openssh-server

换国内源
vi /etc/apt/sources.list

# 默认注释了源码仓库，如有需要可自行取消注释
deb https://mirrors.ustc.edu.cn/ubuntu/ bionic main restricted universe multiverse
# deb-src https://mirrors.ustc.edu.cn/ubuntu/ focal main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ bionic-security main restricted universe multiverse
# deb-src https://mirrors.ustc.edu.cn/ubuntu/ bionic-security main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ bionic-updates main restricted universe multiverse
# deb-src https://mirrors.ustc.edu.cn/ubuntu/ bionic-updates main restricted universe multiverse
deb https://mirrors.ustc.edu.cn/ubuntu/ bionic-backports main restricted universe multiverse
# deb-src https://mirrors.ustc.edu.cn/ubuntu/ bionic-backports main restricted universe multiverse
# 预发布软件源，不建议启用
# deb https://mirrors.ustc.edu.cn/ubuntu/ bionic-proposed main restricted universe multiverse
# deb-src https://mirrors.ustc.edu.cn/ubuntu/ bionic-proposed main restricted universe multiverse

# aliyun源
deb http://mirrors.aliyun.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ $(lsb_release -cs)-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ $(lsb_release -cs)-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ $(lsb_release -cs)-backports main restricted universe multiverse

sudo passwd root

# 配置用户名和密码
# user： msga，root
# pwd：123

# 修改主机名称
hostnamectl set-hostname kubernetes-master

# 关闭交换空间
sudo swapoff -a
# 避免开机启动 /etc/fstab swap
ufw disable

# 固定IP
vi /etc/netplan/01-netcfg.yaml

虚拟机网络配置
NAT模式：子网地址：192.168.79.0，网关：192.168.79.2，DHCP：起始 192.168.79.128、结束 192.168.79.254，掩码：24

# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    ens33:
      addresses: [192.168.79.130/24]
      gateway4: 192.168.79.2
      nameservers:
            #search: []
             addresses:
                  - 8.8.8.8
                  - 114.114.114.114
      dhcp4: no
      #dhcp6: no
      #optional: true

配置宿主机，不配置可能连不上外网

netplan apply

# 取消 DNS 行注释，并增加 DNS 配置如：114.114.114.114，修改后重启下计算机
vi /etc/systemd/resolved.conf

# 联网问题
vi /etc/resolv.conf
> nameservers: 114.114.114.114
systemctl stop systemd-resolved

安装Docker docker安装官网

配置软件源

sudo apt-get remove docker \
               docker-engine \
               docker.io

sudo apt-get update

sudo apt-get -y install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common

curl -fsSL https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
# 添加源
sudo add-apt-repository \
    "deb [arch=amd64] https://mirrors.ustc.edu.cn/docker-ce/linux/ubuntu \
    $(lsb_release -cs) \
    stable"

# =======安装Docker========
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io

# 错误
Sub-process /usr/bin/dpkg returned an error code (1)
# 解决办法
#现将info文件夹更名
sudo mv /var/lib/dpkg/info /var/lib/dpkg/info.bak 
#再新建一个新的info文件夹
sudo mkdir /var/lib/dpkg/info 
sudo apt-get update
# 重新安装
apt-get -f install xxx
sudo mv /var/lib/dpkg/info/* /var/lib/dpkg/info.bak
# 执行完上一步操作后会在新的info文件夹下生成一些文件，现将这些文件全部移到info.bak文件夹下
# 把自己新建的info文件夹删掉
sudo rm -rf /var/lib/dpkg/info 
# 把以前的info文件夹重新改回名字
sudo mv /var/lib/dpkg/info.bak /var/lib/dpkg/info 

# 修改Docker国内源
vi /etc/docker/daemon.json

{
  "registry-mirrors": [
    "https://hub-mirror.c.163.com",
    "https://mirror.baidubce.com"
  ]
}

systemctl daemon-reload
systemctl restart docker
# 查看是否生效
docker info

安装k8s (Kubernetes)

apt update && apt install -y apt-transport-https
sudo curl -s https://mirrors.aliyun.com/kubernetes/apt/doc/apt-key.gpg | sudo apt-key add -

sudo tee /etc/apt/sources.list.d/kubernetes.list <<-'EOF'
deb https://mirrors.aliyun.com/kubernetes/apt kubernetes-xenial main
EOF

sudo apt-get update

# 安装k8s工具
sudo apt-get install -y kubelet kubeadm kubectl

# 开机启动
sudo systemctl enable kubelet && sudo systemctl start kubelet

配置k8s集群

# 1. Master 配置
kubeadm config print init-defaults --kubeconfig ClusterConfiguration > kubeadm.yml

# 修改`kubeadm.yml`配置
> advertiseAddress: 192.168.79.131
> imageRepository: registry.aliyuncs.com/google_containers
> networking: podSubnet: "192.168.0.0/16"

# 查看镜像地址情况
kubeadm config images list --config kubeadm.yml
# 拉取镜像
kubeadm config images pull --config kubeadm.yml

#  初始化
kubeadm init --config=kubeadm.yml --experimental-upload-certs | tee kubeadm-init.log
kubeadm init --config=kubeadm.yml --upload-certs | tee kubeadm-init.log

mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

kubectl get nodes
docker ps

查看健康值

1	kubectl get cs

解决k8s集群在节点运行kubectl出现的错误：The connection to the server localhost:8080 was refused - did you specify the right host or port?

1
2
3

mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

可能会出现以下错误： Unhealthy Get http://127.0.0.1:10251/healthz: dial tcp 127.0.0.1:10251: connect: connection refused

出现这种情况，是/etc/kubernetes/manifests下的kube-controller-manager.yaml和kube-scheduler.yaml设置的默认端口port是 0，在文件中注释掉就可以了

# 注释controller和scheduler的port配置
> #   - --port=0
# 重启
systemctl restart kubelet.service
# 然后健康值就正常了
kubectl get cs

重新配置k8s

# 启用IPVS
modprobe -- ip_vs
modprobe -- ip_vs_rr
modprobe -- ip_vs_wrr
modprobe -- ip_vs_sh
modprobe -- nf_conntrack_ipv4

# 重置k8s
kubeadm reset
docker ps

# 重新启动 Master ，Node节点reset后重新join就可以了
rm -rf /usr/local/docker/kubernetes/kubeadm-init.log
kubeadm init --config=/usr/local/docker/kubernetes/kubeadm.yml --upload-certs | tee /usr/local/docker/kubernetes/kubeadm-init.log

# kubectl get nodes可能会出现报错,是权限问题: Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
rm -rf ~/.kube
mkdir -p $HOME/.kube
cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

# NODE节点
rm -rf ~/.kube
mkdir -p $HOME/.kube
cp -i /etc/kubernetes/kubelet.conf $HOME/.kube/config
chown $(id -u):$(id -g) $HOME/.kube/config

# 2. 安装子节点(node,slave)
# master 
kubeadm token create --print-join-command

# 得到命令，在子节点输入就可以了
kubeadm join 192.168.79.131:6443 --token u9frdi.zpwp9a4i4zi611vl     --discovery-token-ca-cert-hash sha256:d7f660e4357de92bf861f5f4d0c22ad26ef7adfdab0b778354e5802b5dfb68e0

# 删除子节点
# 在k8s-node上 
kubeadm reset
# 在Master上delete nodes
kubectl delete nodes k8s-node03
kubeadm delete nodes {nodesname}

# token打印
kubeadm token list

# token可能会过期
# 创建
kubeadm token create --print-join-command

#  查看状态
kubectl get pod -n kube-system -o wide

# docker 网络，沙盒机制
# https://www.bilibili.com/video/BV1v4411a7qf?p=9&spm_id_from=pageDriver
# P9 6：40

ansible

搭建pod网络(calico) 官方文档

kubectl create -f https://docs.projectcalico.org/manifests/tigera-operator.yaml

# watch查看tigera是否为启动状态，然后运行下面的命令
watch kubectl get pods --all-namespaces

kubectl create -f https://docs.projectcalico.org/manifests/custom-resources.yaml

# 查看calico插件是否运行成功, 可能需要等几分钟
watch kubectl get pods -n calico-system

k8s 常用命令

# 查看Master状态
kubectl cluster-info

# 运行第一个容器实例
kubectl run nginx --images=nginx --replicas=2 --port=80
# 新版本运行方式
kubectl create deployment --image=nginx nginx-app
kubectl set env deployment/nginx-app  DOMAIN=cluster

# 查看运行的pods
kubectl get pods
kubectl get po -l run=nginx-app

docker ps

# 查看部署的实例
kubectl get deployment
kubectl get deployment nginx-app

# 通过服务公开（映射）端口
kubectl expose deployment nginx-app --port=80 --name=nginx-http --type=LoadBalancer

# 查看日志
kubectl logs -f nginx-app-zibvs

# 要查看以前在 k8s 中执行的输出，请执行以下操作：
kubectl logs --previous nginx-app-zibvs

# 查看已发布的服务
kubectl get services

# 查看服务详情
kubectl describe service nginx

# 删除部署，请注意，我们不直接删除 pod。使用 kubectl 命令，我们要删除拥有该 pod 的 Deployment。如果我们直接删除 pod，Deployment 将会重新创建该 pod。
kubectl delete deployment nginx-app
# 删除部署后，不会一起删除服务
kubectl delete service nginx-http

# 进入容器（交互式命令）
kubectl exec -ti nginx-app-5jyvm -- /bin/sh

配置HAPoxy 和 keepalived

该步骤在 k8s-master-01 执行

mkdir -p /usr/local/kubernetes/lb
vi /usr/local/kubernetes/lb/start-haproxy.sh

#!/bin/bash
# 修改为你自己的 Master 地址
MasterIP1=192.168.79.130
MasterIP2=192.168.79.131
MasterIP3=192.168.79.132
# 这是 kube-apiserver 默认端口，不用修改
MasterPort=6443

# 容器将 HAProxy 的 6444 端口暴露出去
docker run -d --restart=always --name HAProxy-K8S -p 6444:6444 \
        -e MasterIP1=$MasterIP1 \
        -e MasterIP2=$MasterIP2 \
        -e MasterIP3=$MasterIP3 \
        -e MasterPort=$MasterPort \
        wise2c/haproxy-k8s

# 设置权限
chmod +x /usr/local/kubernetes/lb/start-haproxy.sh

创建 Keepalived 启动脚本

该步骤在 k8s-master-01 执行

mkdir -p /usr/local/kubernetes/lb
vi /usr/local/kubernetes/lb/start-keepalived.sh

# 输入内容如下
#!/bin/bash
# 修改为你自己的虚拟 IP 地址
VIRTUAL_IP=192.168.79.180
# 虚拟网卡设备名
INTERFACE=ens33
# 虚拟网卡的子网掩码
NETMASK_BIT=24
# HAProxy 暴露端口，内部指向 kube-apiserver 的 6443 端口
CHECK_PORT=6444
# 路由标识符
RID=10
# 虚拟路由标识符
VRID=160
# IPV4 多播地址，默认 224.0.0.18
MCAST_GROUP=224.0.0.18

docker run -itd --restart=always --name=Keepalived-K8S \
        --net=host --cap-add=NET_ADMIN \
        -e VIRTUAL_IP=$VIRTUAL_IP \
        -e INTERFACE=$INTERFACE \
        -e CHECK_PORT=$CHECK_PORT \
        -e RID=$RID \
        -e VRID=$VRID \
        -e NETMASK_BIT=$NETMASK_BIT \
        -e MCAST_GROUP=$MCAST_GROUP \
        wise2c/keepalived-k8s

# 设置权限
chmod +x start-keepalived.sh

复制脚本到其它 Master 地址
分别在 k8s-master-02 和 k8s-master-03 执行创建工作目录命令

1	mkdir -p /usr/local/kubernetes/lb

将 k8s-master-01 中的脚本拷贝至其它 Master

1
2
3

scp start-haproxy.sh start-keepalived.sh 192.168.79.131:/usr/local/kubernetes/lb

scp start-haproxy.sh start-keepalived.sh 192.168.79.132:/usr/local/kubernetes/lb

分别在几个Master中启动容器

sh /usr/local/kubernetes/lb/start-haproxy.sh && sh /usr/local/kubernetes/lb/start-keepalived.sh

# 查看容器
docker ps

CONTAINER ID   IMAGE                                               COMMAND                  CREATED          STATUS          PORTS     NAMES
9424a19d0882   wise2c/keepalived-k8s                               "/usr/bin/keepalived…"   2 minutes ago       Up 2 minutes                                Keepalived-K8S
2687e5a06345   wise2c/haproxy-k8s                                  "/docker-entrypoint.…"   About an hour ago   Up About an hour   0.0.0.0:6444->6444/tcp   HAProxy-K8S

创建集群cluster

# 创建工作目录
mkdir -p /usr/local/kubernetes/cluster

# 导出配置文件到工作目录
kubeadm config print init-defaults --kubeconfig ClusterConfiguration > kubeadm.yml

kubeadm init --config=kubeadm.yml --upload-certs | tee kubeadm-init.log

集群POD网段冲突问题

# 修改 kubeadm.yml 
> localAPIEndpoint:
  # 修改为主节点 IP
>   advertiseAddress: 192.168.141.150
>   bindPort: 6443
# 配置 Keepalived 地址和 HAProxy 端口
> controlPlaneEndpoint: "192.168.79.180:6444"
> controllerManager: {}
> networking:
>  dnsDomain: cluster.local
>  podSubnet: "10.244.0.0/16"
>  serviceSubnet: 10.96.0.0/12
> imageRepository: registry.aliyuncs.com/google_containers


# 安装calico
kubectl create -f https://docs.projectcalico.org/manifests/tigera-operator.yaml

# watch查看tigera是否为启动状态，然后运行下面的命令
watch kubectl get pods --all-namespaces

wget https://docs.projectcalico.org/manifests/custom-resources.yaml

修改 custom-resources.yaml

apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
  name: default
spec:
  # Configures Calico networking.
  calicoNetwork:
    # Note: The ipPools section cannot be modified post-install.
    ipPools:
    - blockSize: 26
      # 修改为： 10.244.0.0/16
      cidr: 10.244.0.0/16
      encapsulation: VXLANCrossSubnet
      natOutgoing: Enabled
      nodeSelector: all()

安装 calico

kubectl create -f ./custom-resources.yaml

# 查看calico插件是否运行成功, 可能需要等几分钟
watch kubectl get pods -n calico-system

连接Master节点


kubeadm join 192.168.79.180:6444 --token abcdef.0123456789abcdef \
  --discovery-token-ca-cert-hash sha256:019c6ad1b327182b7dfde7c12166d4b6ee8d32364053a5ab1a31964933674037 \
  --control-plane --certificate-key c24446984c748c95816d5281689f090c05cb050aa6c993971148eb15e0eedfa9

其他node连接master

1 2	kubeadm join 192.168.79.180:6443 --token abcdef.0123456789abcdef \ --discovery-token-ca-cert-hash sha256:fe747f6fab5ade54bf9519b5fe27e36b5902968be13d97889e5e4c108c3b8ee8

查看集群状态

1	kubectl get nodes -o wide

查看Pod

1	kubectl -n kube-system get pod -o wide

查看Service

1	kubectl -n kube-system get svc

查看IPVS

查看 kube-proxy 日志，server_others.go:176] Using ipvs Proxier.
1
kubectl -n kube-system logs -f <kube-proxy 容器名>
查看代理规则

1	ipvsadm -ln

查看生效的配置

1	kubectl -n kube-system get cm kubeadm-config -oyaml

查看 etcd 集群

kubectl -n kube-system exec etcd-kubernetes-master-01 -- etcdctl \
	--endpoints=https://192.168.79.130:2379 \
	--ca-file=/etc/kubernetes/pki/etcd/ca.crt \
	--cert-file=/etc/kubernetes/pki/etcd/server.crt \
	--key-file=/etc/kubernetes/pki/etcd/server.key cluster-health

# 输出如下
member 1dfaf07371bb0cb6 is healthy: got healthy result from https://192.168.141.152:2379
member 2da85730b52fbeb2 is healthy: got healthy result from https://192.168.141.150:2379
member 6a3153eb4faaaffa is healthy: got healthy result from https://192.168.141.151:2379
cluster is healthy

查看VIP漂移

1	ip a \|grep ens33

关闭 master 01

kubectl get nodes

NAME                   STATUS     ROLES                  AGE    VERSION
kubernetes-master-01   NotReady   control-plane,master   110m   v1.20.4
kubernetes-master-02   Ready      control-plane,master   97m    v1.20.4
kubernetes-master-03   Ready      control-plane,master   91m    v1.20.4
kubernetes-node-01     Ready      <none>                 89m    v1.20.4
kubernetes-node-02     Ready      <none>                 88m    v1.20.4
kubernetes-node-03     Ready      <none>                 78m    v1.20.4

通过资源配置运行容器

部署 Deployment yaml文件

# API 版本号：由 extensions/v1beta1 修改为 apps/v1
apiVersion: apps/v1
# 类型，如：Pod/ReplicationController/Deployment/Service/Ingress
kind: Deployment
metadata:
  # Kind 的名称
  name: nginx-app
spec:
  # 增加了选择器配置
  selector:
    matchLabels:
      app: nginx
  # 部署的实例数量
  replicas: 2
  template:
    metadata:
      labels:
        # 容器标签的名字，发布 Service 时，selector 需要和这里对应
        app: nginx
    spec:
      containers:
      # 容器名称
      - name: nginx
        # 容器镜像
        image: nginx
        # 暴露端口
        ports:
        # Pod 端口
        - containerPort: 80

# 部署
kubectl create -f nginx-deployment.yml

# 删除
kubectl delete -f nginx-deployment.yml

服务

# API 版本号
apiVersion: v1
# 类型，如：Pod/ReplicationController/Deployment/Service/Ingress
kind: Service
# 元数据
metadata:
  # Kind 的名称
  name: nginx-http
spec:
  # 暴露端口
  ports:
    ## Service 暴露的端口
    - port: 80
      ## Pod 上的端口，这里是将 Service 暴露的端口转发到 Pod 端口上
      targetPort: 80
  # 类型
  type: LoadBalancer
  # 标签选择器
  selector:
    # 需要和上面部署的 Deployment 标签名对应
    app: nginx

  # 部署
kubectl create -f nginx-service.yml

# 删除
kubectl delete -f nginx-service.yml

查看效果

查看 Pod 列表
1
kubectl get pods

Pod部署错误: ImagePullBackOff

kubectl describe pod nginx-app-7848d4b86f-q6r79

Events:
  Type     Reason     Age                   From               Message
  ----     ------     ----                  ----               -------
  Normal   Scheduled  12m                   default-scheduler  Successfully assigned default/nginx-app-7848d4b86f-q6r79 
  Warning  Failed     11m                   kubelet            Failed to pull image "nginx": rpc error: code = Unknown dp: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
  Warning  Failed     9m49s                 kubelet            Failed to pull image "nginx": rpc error: code = Unknown d
  Normal   Pulling    7m10s (x4 over 12m)   kubelet            Pulling image "nginx"
  Warning  Failed     5m45s (x4 over 11m)   kubelet            Error: ErrImagePull
  Warning  Failed     5m45s (x2 over 8m)    kubelet            Failed to pull image "nginx": rpc error: code = Unknown dtry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting hea
  Normal   BackOff    5m21s (x7 over 11m)   kubelet            Back-off pulling image "nginx"
  Warning  Failed     2m22s (x13 over 11m)  kubelet            Error: ImagePullBackOff

查看 Deployment 列表
1
kubectl get deployment
查看 Service 列表
1
kubectl get service
查看 Service 详情
1
kubectl describe service nginx
通过浏览器访问

1	通过浏览器访问 http://192.168.79.130:30095/ ，出现 Nginx 欢迎页即表示成功

将端口改为 80

apiVersion: v1
kind: Service
metadata:
  name: nginx-http
spec:
  ports:
    - port: 80
      targetPort: 80
      # nodePort改为80
      nodePort: 80
  type: LoadBalancer
  selector:
    # 标签选择器由 name 修改为 app
    app: nginx

修改 /etc/kubernetes/manifests/kube-apiserver.yaml

apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.168.79.130:6443
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    # 修改port范围
    - --service-node-port-range=2-65535
    - --advertise-address=192.168.79.130

集成环境部署

Ingress 统一访问入口

tomcat.yml

# API 版本号：由 extensions/v1beta1 修改为 apps/v1
apiVersion: apps/v1
# 类型，如：Pod/ReplicationController/Deployment/Service/Ingress
kind: Deployment
metadata:
  # Kind 的名称
  name: tomcat-app
spec:
  # 增加了选择器配置
  selector:
    matchLabels:
      app: tomcat
  # 部署的实例数量
  replicas: 2
  template:
    metadata:
      labels:
        # 容器标签的名字，发布 Service 时，selector 需要和这里对应
        app: tomcat
    spec:
      containers:
      # 容器名称
      - name: tomcat
        # 容器镜像
        image: tomcat
        # 暴露端口
        ports:
        # Pod 端口
        - containerPort: 8080

---
apiVersion: v1
kind: Service
metadata:
  name: tomcat-http
spec:
  ports:
    - port: 8080
      targetPort: 8080
  # ClusterIP, NodePort, LoadBalancer
  type: ClusterIP
  selector:
    name: tomcat

配置Ingress-Nginx


apiVersion: v1
kind: Namespace
metadata:
  name: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx

---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:
---
# Source: ingress-nginx/templates/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
rules:
  - apiGroups:
      - ''
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io   # k8s 1.14+
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - extensions
      - networking.k8s.io   # k8s 1.14+
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io   # k8s 1.14+
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
---
# Source: ingress-nginx/templates/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
  name: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx
subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
rules:
  - apiGroups:
      - ''
    resources:
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ''
    resources:
      - configmaps
      - pods
      - secrets
      - endpoints
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io   # k8s 1.14+
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io   # k8s 1.14+
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - networking.k8s.io   # k8s 1.14+
    resources:
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ''
    resources:
      - configmaps
    resourceNames:
      - ingress-controller-leader-nginx
    verbs:
      - get
      - update
  - apiGroups:
      - ''
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ''
    resources:
      - events
    verbs:
      - create
      - patch
---
# Source: ingress-nginx/templates/controller-rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx
subjects:
  - kind: ServiceAccount
    name: ingress-nginx
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/controller-service-webhook.yaml
apiVersion: v1
kind: Service
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller-admission
  namespace: ingress-nginx
spec:
  type: ClusterIP
  ports:
    - name: https-webhook
      port: 443
      targetPort: webhook
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-service.yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  type: LoadBalancer
  externalTrafficPolicy: Local
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
    - name: https
      port: 443
      protocol: TCP
      targetPort: https
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/component: controller
---
# Source: ingress-nginx/templates/controller-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: ingress-nginx
      app.kubernetes.io/instance: ingress-nginx
      app.kubernetes.io/component: controller
  revisionHistoryLimit: 10
  minReadySeconds: 0
  template:
    metadata:
      labels:
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/component: controller
    spec:
      dnsPolicy: ClusterFirst
      containers:
        - name: controller
          image: k8s.gcr.io/ingress-nginx/controller:v0.44.0@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a
          imagePullPolicy: IfNotPresent
          lifecycle:
            preStop:
              exec:
                command:
                  - /wait-shutdown
          args:
            - /nginx-ingress-controller
            - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
            - --election-id=ingress-controller-leader
            - --ingress-class=nginx
            - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
            - --validating-webhook=:8443
            - --validating-webhook-certificate=/usr/local/certificates/cert
            - --validating-webhook-key=/usr/local/certificates/key
          securityContext:
            capabilities:
              drop:
                - ALL
              add:
                - NET_BIND_SERVICE
            runAsUser: 101
            allowPrivilegeEscalation: true
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: LD_PRELOAD
              value: /usr/local/lib/libmimalloc.so
          livenessProbe:
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 1
            successThreshold: 1
            failureThreshold: 5
          readinessProbe:
            httpGet:
              path: /healthz
              port: 10254
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 1
            successThreshold: 1
            failureThreshold: 3
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
            - name: https
              containerPort: 443
              protocol: TCP
            - name: webhook
              containerPort: 8443
              protocol: TCP
          volumeMounts:
            - name: webhook-cert
              mountPath: /usr/local/certificates/
              readOnly: true
          resources:
            requests:
              cpu: 100m
              memory: 90Mi
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: ingress-nginx
      terminationGracePeriodSeconds: 300
      volumes:
        - name: webhook-cert
          secret:
            secretName: ingress-nginx-admission
---
# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
# before changing this value, check the required kubernetes version
# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  name: ingress-nginx-admission
webhooks:
  - name: validate.nginx.ingress.kubernetes.io
    matchPolicy: Equivalent
    rules:
      - apiGroups:
          - networking.k8s.io
        apiVersions:
          - v1beta1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:
      - v1
      - v1beta1
    clientConfig:
      service:
        namespace: ingress-nginx
        name: ingress-nginx-controller-admission
        path: /networking/v1beta1/ingresses
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
rules:
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
    verbs:
      - get
      - update
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ingress-nginx-admission
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  namespace: ingress-nginx
rules:
  - apiGroups:
      - ''
    resources:
      - secrets
    verbs:
      - get
      - create
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ingress-nginx-admission
  annotations:
    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: ingress-nginx-admission
subjects:
  - kind: ServiceAccount
    name: ingress-nginx-admission
    namespace: ingress-nginx
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: ingress-nginx-admission-create
  annotations:
    helm.sh/hook: pre-install,pre-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  namespace: ingress-nginx
spec:
  template:
    metadata:
      name: ingress-nginx-admission-create
      labels:
        helm.sh/chart: ingress-nginx-3.23.0
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 0.44.0
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:
      containers:
        - name: create
          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
          imagePullPolicy: IfNotPresent
          args:
            - create
            - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
            - --namespace=$(POD_NAMESPACE)
            - --secret-name=ingress-nginx-admission
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      hostNetwork: true
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000
---
# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml
apiVersion: batch/v1
kind: Job
metadata:
  name: ingress-nginx-admission-patch
  annotations:
    helm.sh/hook: post-install,post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
  labels:
    helm.sh/chart: ingress-nginx-3.23.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 0.44.0
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: admission-webhook
  namespace: ingress-nginx
spec:
  template:
    metadata:
      name: ingress-nginx-admission-patch
      labels:
        helm.sh/chart: ingress-nginx-3.23.0
        app.kubernetes.io/name: ingress-nginx
        app.kubernetes.io/instance: ingress-nginx
        app.kubernetes.io/version: 0.44.0
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/component: admission-webhook
    spec:
      containers:
        - name: patch
          image: docker.io/jettech/kube-webhook-certgen:v1.5.1
          imagePullPolicy: IfNotPresent
          args:
            - patch
            - --webhook-name=ingress-nginx-admission
            - --namespace=$(POD_NAMESPACE)
            - --patch-mutating=false
            - --secret-name=ingress-nginx-admission
            - --patch-failure-policy=Fail
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
      restartPolicy: OnFailure
      serviceAccountName: ingress-nginx-admission
      securityContext:
        runAsNonRoot: true
        runAsUser: 2000

本文作者： MISAKIGA
本文链接： https://misakiga.github.io/2021/02/12/k8s/ubuntu1804/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！

Ubuntu18.04 搭建 k8s

Ubuntu基础配置

配置宿主机，不配置可能连不上外网

安装Docker docker安装官网

安装k8s (Kubernetes)

配置HAPoxy 和 keepalived

创建 Keepalived 启动脚本

通过资源配置运行容器

通过浏览器访问

集成环境部署

Ingress 统一访问入口