3.18 为远端 kubectl 准备管理员证书 [root@centos7-nginx scripts]# cd ssl/ [root@centos7-nginx ssl]# cat admin.kubeconfig > ~/.kube/config [root@centos7-nginx ssl]# vim ~/.kube/config [root@centos7-nginx ssl]# kubectl get cs NAME STATUS MESSAGE ERROR scheduler Healthy ok controller-manager Healthy ok etcd-2 Healthy {"health":"true"} etcd-0 Healthy {"health":"true"} etcd-1 Healthy {"health":"true"} 3.19 给节点打上角色标签默认装完在角色这列显示 <none>
[root@centos7-nginx ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION centos7-a Ready <none> 32h v1.18.3 centos7-b Ready <none> 32h v1.18.3 centos7-c Ready <none> 32h v1.18.3 centos7-d Ready <none> 21m v1.18.3 centos7-e Ready <none> 20m v1.18.3执行如下命令即可:
[root@centos7-nginx ~]# kubectl label nodes centos7-a node-role.kubernetes.io/master= node/centos7-a labeled [root@centos7-nginx ~]# kubectl label nodes centos7-b node-role.kubernetes.io/master= node/centos7-b labeled [root@centos7-nginx ~]# kubectl label nodes centos7-c node-role.kubernetes.io/master= node/centos7-c labeled [root@centos7-nginx ~]# kubectl label nodes centos7-d node-role.kubernetes.io/node= node/centos7-d labeled [root@centos7-nginx ~]# kubectl label nodes centos7-e node-role.kubernetes.io/node= node/centos7-e labeled再次查看
[root@centos7-nginx ~]# kubectl get nodes NAME STATUS ROLES AGE VERSION centos7-a Ready master 32h v1.18.3 centos7-b Ready master 32h v1.18.3 centos7-c Ready master 32h v1.18.3 centos7-d Ready node 23m v1.18.3 centos7-e Ready node 22m v1.18.3 3.20 测试在节点上执行维护工作驱逐并使节点不可调度
[root@centos7-nginx scripts]# kubectl drain centos7-d --ignore-daemonsets=true --delete-local-data=true --force=true node/centos7-d cordoned evicting pod kube-system/coredns-6fdfb45d56-pvnzt pod/coredns-6fdfb45d56-pvnzt evicted node/centos7-d evicted [root@centos7-nginx scripts]# kubectl get nodes NAME STATUS ROLES AGE VERSION centos7-a Ready master 47h v1.18.3 centos7-b Ready master 47h v1.18.3 centos7-c Ready master 47h v1.18.3 centos7-d Ready,SchedulingDisabled node 15h v1.18.3 centos7-e Ready node 15h v1.18.3重新使节点可调度:
[root@centos7-nginx scripts]# kubectl uncordon centos7-d node/centos7-d uncordoned [root@centos7-nginx scripts]# kubectl get nodes NAME STATUS ROLES AGE VERSION centos7-a Ready master 47h v1.18.3 centos7-b Ready master 47h v1.18.3 centos7-c Ready master 47h v1.18.3 centos7-d Ready node 15h v1.18.3 centos7-e Ready node 15h v1.18.3 3.21 使 master 节点不运行podmaster节点最好是不要作为node使用,也不推荐做node节点,
在该集群中需要打下标签node-role.kubernetes.io/master=:NoSchedule才能实现
[root@centos7-nginx scripts]# kubectl taint nodes centos7-a node-role.kubernetes.io/master=:NoSchedule node/centos7-a tainted [root@centos7-nginx scripts]# kubectl taint nodes centos7-b node-role.kubernetes.io/master=:NoSchedule node/centos7-b tainted [root@centos7-nginx scripts]# kubectl taint nodes centos7-c node-role.kubernetes.io/master=:NoSchedule node/centos7-c tainted部署一个 nginx 的 deploy 进行验证
# 创建一个 deployment [root@centos7-nginx scripts]# kubectl create deployment nginx-dns --image=nginx deployment.apps/nginx-dns created # 修改副本数为 3 [root@centos7-nginx scripts]# kubectl patch deployment nginx-dns -p '{"spec":{"replicas":3}}' deployment.apps/nginx-dns patched # 查看位置分布 [root@centos7-nginx scripts]# kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES busybox 1/1 Running 0 14m 10.244.3.113 centos7-d <none> <none> nginx-dns-5c6b6b99df-6k4qv 1/1 Running 0 2m8s 10.244.3.116 centos7-d <none> <none> nginx-dns-5c6b6b99df-88lcr 0/1 ContainerCreating 0 6s <none> centos7-d <none> <none> nginx-dns-5c6b6b99df-c2nnc 0/1 ContainerCreating 0 6s <none> centos7-e <none> <none>如果需要把master当node:
kubectl taint nodes centos7-a node-role.kubernetes.io/master- 4 FAQ 4.1 解决无法查询pods日志问题 [root@centos7-b cfg]# kubectl exec -it nginx -- bash error: unable to upgrade connection: Forbidden (user=kubernetes, verb=create, resource=nodes, subresource=proxy) [root@centos7-b cfg]# kubectl logs -f nginx Error from server (Forbidden): Forbidden (user=kubernetes, verb=get, resource=nodes, subresource=proxy) ( pods/log nginx) $ vim ~/yaml/apiserver-to-kubelet-rbac.yml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: kubelet-api-admin subjects: - kind: User name: kubernetes apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: system:kubelet-api-admin apiGroup: rbac.authorization.k8s.io # 应用 $ kubectl apply -f ~/yaml/apiserver-to-kubelet-rbac.yml [root@centos7-a ~]# kubectl logs -f nginx /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh 10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf 10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh /docker-entrypoint.sh: Configuration complete; ready for start up 10.244.2.1 - - [17/Jun/2020:02:45:59 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0" "-" 10.244.2.1 - - [17/Jun/2020:02:46:09 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.29.0" "-" 10.244.2.1 - - [17/Jun/2020:02:46:12 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.29.0" "-" 10.244.2.1 - - [17/Jun/2020:02:46:13 +0000] "HEAD / HTTP/1.1" 200 0 "-" "curl/7.29.0" "-" 5 参考Prometheus Operator 监控 etcd 集群: https://www.qikqiak.com/post/prometheus-operator-monitor-etcd/
Kubernetes v1.18.2 二进制高可用部署: https://www.yp14.cn/2020/05/19/Kubernetes-v1-18-2-二进制高可用部署/