Centos7二进制部署k8s-v1.20.2 ipvs版本(部署rancher-v2.5.9)

一、部署rancher
官网上用helm部署ha的方案测试验证了多次, 均有问题,最简单的k8s部署rancher方案:

vim rancher.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: proxy-clusterrole-kubeapiserver
rules:
- apiGroups: [""]
  resources:
  - nodes/metrics
  - nodes/proxy
  - nodes/stats
  - nodes/log
  - nodes/spec
  verbs: ["get", "list", "watch", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: proxy-role-binding-kubernetes-master
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: proxy-clusterrole-kubeapiserver
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: kube-apiserver
---
apiVersion: v1
kind: Namespace
metadata:
  name: cattle-system

---

apiVersion: v1
kind: ServiceAccount
metadata:
  name: cattle
  namespace: cattle-system

---
apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRoleBinding
metadata:
  name: cattle-admin-binding
  namespace: cattle-system
  labels:
    cattle.io/creator: "norman"
subjects:
- kind: ServiceAccount
  name: cattle
  namespace: cattle-system
roleRef:
  kind: ClusterRole
  name: cattle-admin
  apiGroup: rbac.authorization.k8s.io

---

apiVersion: v1
kind: Secret
metadata:
  name: cattle-credentials-2d27727
  namespace: cattle-system
type: Opaque
data:
  url: "aHR0cHM6Ly8xMC4xOC4zMi4yNTozMDQ0Mw=="
  token: "ZnZyc2JkN2JmdGJ4dmhncWNqbDRyamd4dGg0Z2tiZjljZHh4cXZ4aHB4ejVieGNkbnZoenBw"

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cattle-admin
  labels:
    cattle.io/creator: "norman"
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'
---
kind: Deployment
apiVersion: apps/v1

metadata:
  name: rancher
  namespace: cattle-system
  labels:
    app: rancher
spec:
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  selector:
    matchLabels:
      app: rancher
  template:
    metadata:
      labels:
        app: rancher
    spec:
      containers:
      - name: rancher
        image: rancher/rancher:stable
        imagePullPolicy: Always
        env:
        - name: AUDIT_LEVEL
          value: "3"
        - name: CATTLE_SYSTEM_CATALOG
          value: "bundled"
        ports:
        - containerPort: 80
          name: http
        - containerPort: 443
          name: https
        readinessProbe:
          tcpSocket:
            port: 80
          initialDelaySeconds: 20
          periodSeconds: 10
        livenessProbe:
          tcpSocket:
            port: 80
          initialDelaySeconds: 600
          periodSeconds: 20
      serviceAccountName: cattle
---
apiVersion: v1
kind: Service
metadata:
  name: rancher
  namespace: cattle-system
spec:
  ports:
    - port: 80
      name: http
      protocol: TCP
      nodePort: 30080
    - port: 443
      name: https
      protocol: TCP
      nodePort: 30443
  sessionAffinity: ClientIP
  externalTrafficPolicy: Cluster
  sessionAffinityConfig:
    clientIP:
      timeoutSeconds: 10800
  type: NodePort
  selector:
    app: rancher

#执行创建
kubectl apply -f rancher.yaml

简单描述过程:
1.创建cattle-system 命名空间
2.创建一个cattle-admin用户授权从请求kube-api服务器, 然后返回etcd里的key value(群集的相关信息, node节点啊, 节点状态啊什么的).
3.创建授权机制, rancher分配权限给普通用户.(type: Opaque)
4.部署rancher(20秒检查80端口就绪, 懒得写了, 443也就没写检查. 不过80端口都起不来, 443端口凭什么起得来?)使用的serviceaccount是cattle这个sa不理解的可以自己去试试kubectl get sa -n kube-system
5.创建rancher的服务30080/30443 nodeport, 这里设置了externalTrafficPolicy: Cluster, 保证所有节点(包括master 都会启动这两个端口, 这样不怕rancher pod迁移.)从任意一个节点的30080端口会自动跳转到rancher部署的node节点对应的30080端口. 再从30080端口url rewrite到30443端口.
6. kubectl apply -f rancher.yaml && kubectl get pod -n cattle-system -w 等待名为rancher的pod就绪.
7. 打开浏览器建议firefox, google的浏览器安全很麻烦. 自签名证书可能出现未知问题.

© 版权声明
THE END
喜欢就支持一下吧
点赞6 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称表情代码图片