验证是否可以正常运行
# 先创建一个 busybox 容器作为客户端 [root@centos7-nginx ~]# kubectl create -f https://k8s.io/examples/admin/dns/busybox.yaml # 解析 kubernetes [root@centos7-nginx ~]# kubectl exec -it busybox -- nslookup kubernetes Server: 10.96.0.10 Address 1: 10.96.0.10 kube-dns.kube-system.svc.cluster.local Name: kubernetes Address 1: 10.96.0.1 kubernetes.default.svc.cluster.local [root@centos7-nginx ~]# 3.15 安装 metrics-server项目地址:https://github.com/kubernetes-sigs/metrics-server
按照说明执行如下命令即可,需要根据自身集群状态进行修改,比如,镜像地址、资源限制...
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.6/components.yaml将文件下载到本地
[root@centos7-nginx scripts]# wget https://github.com/kubernetes-sigs/metrics-server/releases/download/v0.3.6/components.yaml修改内容:修改镜像地址,添加资源限制和相关命令
apiVersion: apps/v1 kind: Deployment metadata: name: metrics-server spec: template: spec: containers: - name: metrics-server image: registry.cn-beijing.aliyuncs.com/liyongjian5179/metrics-server-amd64:v0.3.6 imagePullPolicy: IfNotPresent resources: limits: cpu: 400m memory: 512Mi requests: cpu: 50m memory: 50Mi command: - /metrics-server - --kubelet-insecure-tls - --kubelet-preferred-address-types=InternalIP根据您的群集设置,您可能还需要更改传递给Metrics Server容器的标志。最有用的标志:
--kubelet-preferred-address-types -确定连接到特定节点的地址时使用的节点地址类型的优先级(default [Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP])
--kubelet-insecure-tls-不要验证Kubelets提供的服务证书的CA。仅用于测试目的。
--requestheader-client-ca-file -指定根证书捆绑包,以验证传入请求上的客户端证书。
执行该文件
[root@centos7-nginx scripts]# kubectl apply -f components.yaml clusterrole.rbac.authorization.k8s.io/system:aggregated-metrics-reader created clusterrolebinding.rbac.authorization.k8s.io/metrics-server:system:auth-delegator created rolebinding.rbac.authorization.k8s.io/metrics-server-auth-reader created apiservice.apiregistration.k8s.io/v1beta1.metrics.k8s.io created serviceaccount/metrics-server created deployment.apps/metrics-server created service/metrics-server created clusterrole.rbac.authorization.k8s.io/system:metrics-server created clusterrolebinding.rbac.authorization.k8s.io/system:metrics-server created等待一段时间即可查看效果
[root@centos7-nginx scripts]# kubectl top nodes NAME CPU(cores) CPU% MEMORY(bytes) MEMORY% centos7-a 159m 15% 1069Mi 62% centos7-b 158m 15% 1101Mi 64% centos7-c 168m 16% 1153Mi 67% centos7-d 48m 4% 657Mi 38% centos7-e 45m 4% 440Mi 50% [root@centos7-nginx scripts]# kubectl top pods -A NAMESPACE NAME CPU(cores) MEMORY(bytes) kube-system coredns-6fdfb45d56-79jhl 5m 12Mi kube-system coredns-6fdfb45d56-pvnzt 3m 13Mi kube-system metrics-server-5f8fdf59b9-8chz8 1m 11Mi kube-system tiller-deploy-6b75d7dccd-r6sz2 2m 6Mi完整文件内容如下
--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system:aggregated-metrics-reader labels: rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: ["metrics.k8s.io"] resources: ["pods", "nodes"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: metrics-server:system:auth-delegator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: metrics-server-auth-reader namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: extension-apiserver-authentication-reader subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system --- apiVersion: apiregistration.k8s.io/v1beta1 kind: APIService metadata: name: v1beta1.metrics.k8s.io spec: service: name: metrics-server namespace: kube-system group: metrics.k8s.io version: v1beta1 insecureSkipTLSVerify: true groupPriorityMinimum: 100 versionPriority: 100 --- apiVersion: v1 kind: ServiceAccount metadata: name: metrics-server namespace: kube-system --- apiVersion: apps/v1 kind: Deployment metadata: name: metrics-server namespace: kube-system labels: k8s-app: metrics-server spec: selector: matchLabels: k8s-app: metrics-server template: metadata: name: metrics-server labels: k8s-app: metrics-server spec: serviceAccountName: metrics-server volumes: # mount in tmp so we can safely use from-scratch images and/or read-only containers - name: tmp-dir emptyDir: {} containers: - name: metrics-server image: registry.cn-beijing.aliyuncs.com/liyongjian5179/metrics-server-amd64:v0.3.6 imagePullPolicy: IfNotPresent resources: limits: cpu: 400m memory: 512Mi requests: cpu: 50m memory: 50Mi command: - /metrics-server - --kubelet-insecure-tls - --kubelet-preferred-address-types=InternalIP args: - --cert-dir=http://www.likecs.com/tmp - --secure-port=4443 ports: - name: main-port containerPort: 4443 protocol: TCP securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 volumeMounts: - name: tmp-dir mountPath: /tmp nodeSelector: kubernetes.io/os: linux kubernetes.io/arch: "amd64" --- apiVersion: v1 kind: Service metadata: name: metrics-server namespace: kube-system labels: kubernetes.io/name: "Metrics-server" kubernetes.io/cluster-service: "true" spec: selector: k8s-app: metrics-server ports: - port: 443 protocol: TCP targetPort: main-port --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system:metrics-server rules: - apiGroups: - "" resources: - pods - nodes - nodes/stats - namespaces - configmaps verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: system:metrics-server roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:metrics-server subjects: - kind: ServiceAccount name: metrics-server namespace: kube-system 3.16 安装 ingress 3.16.1 LB 方案采用裸金属服务器的方案:
可选NodePort或者LoadBalancer,默认是 NodePort 的方案
在云上的环境可以使用现成的 LB的方案:
比如阿里云Internal load balancer示例,可以通过注解的方式
[...] metadata: annotations: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet" [...]裸金属服务器上可选方案:
1)纯软件解决方案:MetalLB(https://metallb.universe.tf/)
该项目发布于 2017 年底,当前处于 Beta 阶段。
MetalLB支持两种声明模式:
Layer 2模式:ARP/NDP
BGP模式
Layer 2 模式