Zde můžete vidět rozdíly mezi vybranou verzí a aktuální verzí dané stránky.
Obě strany předchozí revizePředchozí verze | |||
navody:vps:vpsadminos:kubernetes [2021/10/29 11:52] – [Master] comment euro | navody:vps:vpsadminos:kubernetes [2023/07/31 19:32] (aktuální) – odstraněno Aither | ||
---|---|---|---|
Řádek 1: | Řádek 1: | ||
- | ====== Kubernetes na vpsAdminOS ====== | ||
- | <note important> | ||
- | ===== Prerekvizity ===== | ||
- | * VPS musí bežať na vpsAdminOS na kerneli min. 5.9.10. V čase písania návodu je dostupný tento kernel iba na staging node (nebo Brno) | ||
- | * Postup je odskúšaný na fresh minimal Ubuntu 20.04 | ||
- | * Používame latest vanilla kubernetes | ||
- | * Ako networking používame flannel s host-gw s internou sietou 10.244.0.0/ | ||
- | * Kubernetes si chce šahať do /sys a /proc. Hodnoty máme vo vpsAdminOS správne pre vpsAdminOS, preto mu iba nafakeujeme dané súbory aby si tam sám mohol zapísať. Vytvoríme aj fake service v systemd, aby sa pri štarte systému dané súbory správne namapovali. | ||
- | * **Inštalačný skript je rovnaký pre master aj worker nody** | ||
- | ===== Spoločný postup pre master aj worker nodes ===== | ||
- | Vytvoríme si install.sh v / | ||
- | < | ||
- | #/bin/bash -x | ||
- | apt-get install -y apt-transport-https ca-certificates curl software-properties-common | ||
- | curl -fsSL https:// | ||
- | add-apt-repository "deb [arch=amd64] https:// | ||
- | apt-get update | ||
- | apt-get install -y docker-ce iptables arptables ebtables | ||
- | |||
- | wget -q https:// | ||
- | chmod +x installer_linux | ||
- | ./ | ||
- | source / | ||
- | |||
- | update-alternatives --set iptables / | ||
- | update-alternatives --set ip6tables / | ||
- | update-alternatives --set arptables / | ||
- | update-alternatives --set ebtables / | ||
- | apt-get update && | ||
- | curl -s https:// | ||
- | cat <<EOF | tee / | ||
- | deb https:// | ||
- | EOF | ||
- | |||
- | apt-get update | ||
- | apt-get install -y kubelet kubeadm kubectl | ||
- | |||
- | mkdir -p / | ||
- | |||
- | cat > / | ||
- | # | ||
- | cd / | ||
- | echo 0 > panic | ||
- | mount --bind panic / | ||
- | echo 0 > panic_on_oops | ||
- | mount --bind panic_on_oops / | ||
- | echo 0 > overcommit_memory | ||
- | mount --bind overcommit_memory / | ||
- | |||
- | mkdir block | ||
- | mount -o bind block/ /sys/block/ | ||
- | mount --make-rshared / | ||
- | EOF | ||
- | |||
- | chmod +x / | ||
- | |||
- | cat > / | ||
- | [Unit] | ||
- | Before=kubelet.service | ||
- | |||
- | [Service] | ||
- | ExecStart=/ | ||
- | |||
- | [Install] | ||
- | WantedBy=default.target | ||
- | EOF | ||
- | |||
- | chmod 644 / | ||
- | |||
- | systemctl daemon-reload | ||
- | systemctl enable fake.service | ||
- | systemctl start fake.service | ||
- | |||
- | cat > / | ||
- | { | ||
- | " | ||
- | " | ||
- | " | ||
- | " | ||
- | }, | ||
- | " | ||
- | } | ||
- | EOF | ||
- | |||
- | systemctl daemon-reload | ||
- | systemctl restart docker | ||
- | |||
- | kubeadm config images pull | ||
- | </ | ||
- | |||
- | Spustíme inštaláciu a počkáme na úspešné dokončenie základnej inštalácie k8s: | ||
- | < | ||
- | chmod +x / | ||
- | / | ||
- | </ | ||
- | |||
- | Inštalácia je spravená tak, že systém funguje aj po reštarte, avšak trvá 3-5 minút kým znovu nabehnú všetky služby. | ||
- | |||
- | ==== Master ==== | ||
- | Master ma niekoľko špeciálnych krokov. Najprv inicializujeme kubernetes, následne pridáme network. | ||
- | < | ||
- | kubeadm init --pod-network-cidr=10.244.0.0/ | ||
- | |||
- | mkdir -p $HOME/.kube | ||
- | cp -i / | ||
- | chown $(id -u):$(id -g) $HOME/ | ||
- | |||
- | wget https:// | ||
- | sed -i ' | ||
- | kubectl apply -f kube-flannel.yml | ||
- | </ | ||
- | |||
- | Odporúčam sledovať priebeh deploymentu a počkať, kým budú všetko v stave running s plným počtom: | ||
- | < | ||
- | kubectl get pods --all-namespaces | ||
- | </ | ||
- | |||
- | Vysledok by mal vyzerat cca: | ||
- | < | ||
- | # kubectl --namespace=kube-system get pods | ||
- | NAME | ||
- | coredns-f9fd979d6-f9v99 | ||
- | coredns-f9fd979d6-v7w2x | ||
- | etcd-vps3 | ||
- | kube-apiserver-vps3 | ||
- | kube-controller-manager-vps3 | ||
- | kube-flannel-ds-zbc47 | ||
- | kube-proxy-7zvc5 | ||
- | kube-scheduler-vps3 | ||
- | </ | ||
- | |||
- | === Master ako worker === | ||
- | Ak chceme aby aj master node slúžil ako worker, môžeme ho pridať: | ||
- | < | ||
- | kubectl taint nodes --all node-role.kubernetes.io/ | ||
- | </ | ||
- | |||
- | ==== Worker ==== | ||
- | Získame si najprv na master node token pre pridanie ďalšieho nodu do clustru. Získame tým príkaz ktorý iba copy-paste na worker node: | ||
- | < | ||
- | kubeadm token create --print-join-command | ||
- | |||
- | # Ukazka vystupu prikazu kubeadm token create --print-join-command | ||
- | kubeadm join 37.205.14.241: | ||
- | </ | ||
- | |||
- | |||
- | |||
- | Na master node môžeme sledovať stav nodov: | ||
- | < | ||
- | # kubectl get nodes | ||
- | NAME | ||
- | vps3 | ||
- | vps4 | ||
- | </ | ||
- | |||
- | == Post deploy nastaveni == | ||
- | === Instalace Loadbalanceru === | ||
- | Je treba zmenit strictARP na true, viz https:// | ||
- | < | ||
- | kubectl edit configmap -n kube-system kube-proxy | ||
- | |||
- | kubectl apply -f https:// | ||
- | kubectl apply -f https:// | ||
- | </ | ||
- | |||
- | Config pro loadbalancer | ||
- | |||
- | < | ||
- | apiVersion: v1 | ||
- | kind: ConfigMap | ||
- | metadata: | ||
- | namespace: metallb-system | ||
- | name: config | ||
- | data: | ||
- | config: | | ||
- | address-pools: | ||
- | - name: default | ||
- | protocol: layer2 | ||
- | addresses: | ||
- | - apiVersion: v1 | ||
- | kind: ConfigMap | ||
- | metadata: | ||
- | namespace: metallb-system | ||
- | name: config | ||
- | data: | ||
- | config: | | ||
- | address-pools: | ||
- | - name: default | ||
- | protocol: layer2 | ||
- | addresses: | ||
- | - 37.205.x.x/ | ||
- | </ | ||
- | |||
- | === Ingress === | ||
- | U ingresu je treba zmenit servisu, co bere adresu z routeru, z NodePort na ClusterIP | ||
- | |||
- | < | ||
- | kubectl apply -f https:// | ||
- | kubectl edit service -n ingress-nginx ingress-nginx-controller | ||
- | # edit type: NodePort -> type: LoadBalancer | ||
- | </ | ||
- | |||
- | === Cert manager === | ||
- | Pro automaticke vystavovani certifikatu | ||
- | < | ||
- | kubectl apply -f https:// | ||
- | </ | ||
- | |||
- | Nasledne je treba vytvorit issuer: | ||
- | < | ||
- | kind: ClusterIssuer | ||
- | metadata: | ||
- | name: letsencrypt-prod | ||
- | namespace: cert-manager | ||
- | spec: | ||
- | acme: | ||
- | # The ACME server URL | ||
- | server: https:// | ||
- | # Email address used for ACME registration | ||
- | email: email@email.com | ||
- | # Name of a secret used to store the ACME account private key | ||
- | privateKeySecretRef: | ||
- | name: letsencrypt-prod | ||
- | # Enable the HTTP-01 challenge provider | ||
- | solvers: | ||
- | - http01: | ||
- | ingress: | ||
- | class: nginx | ||
- | </ | ||
- | |||
- | === Dashboard === | ||
- | Pro otestovani muzeme nainstalovat napr dashboard. | ||
- | |||
- | < | ||
- | kubectl apply -f https:// | ||
- | </ | ||
- | |||
- | Dodatecne role + ingress pro dashboard | ||
- | < | ||
- | apiVersion: v1 | ||
- | kind: ServiceAccount | ||
- | metadata: | ||
- | name: admin-user | ||
- | namespace: kubernetes-dashboard | ||
- | --- | ||
- | apiVersion: rbac.authorization.k8s.io/ | ||
- | kind: ClusterRoleBinding | ||
- | metadata: | ||
- | name: admin-user | ||
- | roleRef: | ||
- | apiGroup: rbac.authorization.k8s.io | ||
- | kind: ClusterRole | ||
- | name: cluster-admin | ||
- | subjects: | ||
- | - kind: ServiceAccount | ||
- | name: admin-user | ||
- | namespace: kubernetes-dashboard | ||
- | --- | ||
- | apiVersion: networking.k8s.io/ | ||
- | kind: Ingress | ||
- | metadata: | ||
- | name: dashboard | ||
- | namespace: kubernetes-dashboard | ||
- | annotations: | ||
- | kubernetes.io/ | ||
- | cert-manager.io/ | ||
- | nginx.ingress.kubernetes.io/ | ||
- | spec: | ||
- | tls: | ||
- | - hosts: | ||
- | - k8s.domain.tld | ||
- | secretName: k8s.domain.tld | ||
- | rules: | ||
- | - host: k8s.domain.tld | ||
- | http: | ||
- | paths: | ||
- | - path: / | ||
- | pathType: Prefix | ||
- | backend: | ||
- | service: | ||
- | name: kubernetes-dashboard | ||
- | port: | ||
- | number: 443 | ||
- | </ |