[toc]

防火墙状态与关闭

1
2
3
[root@localhost ~]# systemctl status firewalld.service 
[root@localhost ~]# systemctl stop firewalld.service
[root@localhost ~]# systemctl disable firewalld.service

SELinux永久关闭or禁用

1
[root@localhost ~]# sudo nano /etc/selinux/config

把里面内容改为:

1
SELINUX=disabled

或者使用下面禁用方法

1
2
3
[root@localhost ~]# sudo setenforce 0
# 将 SELinux 设置为 permissive 模式意味着 SELinux 仍然会记录违规操作,但不会阻止它们。
[root@localhost ~]# sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

swap禁用

先把swap禁用

1
2
3
4
5
6
7
8
9
[root@localhost ~]# free -h
total used free shared buff/cache available
Mem: 3.7G 712M 2.3G 25M 697M 2.7G
Swap: 3.9G 0B 3.9G
[root@localhost ~]# swapoff -a
[root@localhost ~]# free -h
total used free shared buff/cache available
Mem: 3.7G 708M 2.3G 25M 697M 2.7G
Swap: 0B 0B 0B

永久禁止swap启用

下面sed那个语句就是注释含有swap的配置行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@localhost ~]# sed -ri 's/.*swap.*/#&/' /etc/fstab

[root@localhost ~]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Thu May 30 04:10:42 2024
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root / xfs defaults 0 0
UUID=f6071794-cb7e-4882-ab44-ecddae691138 /boot xfs defaults 0 0
/dev/mapper/centos-home /home xfs defaults 0 0
#/dev/mapper/centos-swap swap swap defaults 0 0

换源

更换软件源

1
[root@localhost ~]#  wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo

然后更新

1
[root@localhost ~]# yum update -y && yum upgrade -y

更换docker软件源

1
2
3
4
[root@localhost ~]#  sudo yum install -y yum-utils
[root@localhost ~]# sudo yum-config-manager \
--add-repo \
http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

安装指定docker

1
yum install -y docker-ce-20.10.7 docker-ce-cli-20.10.7  containerd.io-1.4.6

docker配置

服务设置

设置重启docker和开机自启docker

1
2
[root@localhost ~]#  systemctl restart docker.service
[root@localhost ~]# systemctl enable docker --now

阿里云docker镜像源配置设置

1
2
3
4
5
6
7
8
[root@localhost ~]#  sudo mkdir -p /etc/docker
[root@localhost ~]# sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}
EOF
[root@localhost ~]# sudo systemctl daemon-reload
[root@localhost ~]# sudo systemctl restart docker

安装k8s

添加k8s软件源

1
2
3
4
5
6
7
8
9
10
11
[root@localhost ~]# cat <<EOF | sudo tee /etc/yum.repos.d/kubernetes.repo
> [kubernetes]
> name=Kubernetes
> baseurl=http://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64
> enabled=1
> gpgcheck=0
> repo_gpgcheck=0
> gpgkey=http://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg \
> http://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
> exclude=kubelet kubeadm kubectl
> EOF

k8s服务安装和设置

1
2
3
[root@localhost ~]# sudo yum install -y kubelet-1.20.9 kubeadm-1.20.9 kubectl-1.20.9 --disableexcludes=kubernetes

[root@localhost ~]# sudo systemctl enable --now kubelet

克隆

master

1
[root@localhost ~]# hostnamectl set-hostname master
1
echo "192.168.15.128  master" >> /etc/hosts

nodex

1
[root@localhost ~]# hostnamectl set-hostname node1

。。。

1
echo "192.168.15.128  master" >> /etc/hosts

。。。

主节点初始化

master

1
2
3
4
5
6
7
8
#主节点初始化
kubeadm init \
--apiserver-advertise-address=192.168.15.128 \
--control-plane-endpoint=master \
--image-repository registry.cn-hangzhou.aliyuncs.com/lfy_k8s_images \
--kubernetes-version v1.20.9 \
--service-cidr=10.96.0.0/16 \
--pod-network-cidr=192.16.0.0/16

得到

1
2
3
4
5
6
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

kubeadm join master:6443 --token x80x7w.zdjqhivr1jopdk2i \
--discovery-token-ca-cert-hash sha256:9e35229e76fd4c97e062fa4ddccb22bab93973ecb67cdaf073b7d3beab561ff0

但是先执行,剩下那个是给node节点的

1
2
3
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

下载网络组件

1
[root@master ~]# curl https://docs.projectcalico.org/v3.20/manifests/calico.yaml -O

应用网络组件

1
[root@master ~]# kubectl apply -f calico.yaml 

查看集群部署了哪些应用

1
2
3
4
#查看集群部署了哪些应用?
docker ps === kubectl get pods -A
# 运行中的应用在docker里面叫容器,在k8s里面叫Pod
kubectl get pods -A

node

子节点加入master

1
2
kubeadm join master:6443 --token x80x7w.zdjqhivr1jopdk2i \
--discovery-token-ca-cert-hash sha256:9e35229e76fd4c97e062fa4ddccb22bab93973ecb67cdaf073b7d3beab561ff0

验证集群

1
2
3
4
5
[root@master ~]# kubectl get nodes
NAME STATUS ROLES AGE VERSION
master Ready control-plane,master 79m v1.20.9
node1 Ready <none> 23m v1.20.9
node2 Ready <none> 23m v1.20.9

K8S命令

生成新的令牌: 使用 kubeadm token create 命令生成一个新的加入令牌:

1
kubeadm token create --print-join-command

检查和管理现有令牌

  1. 查看现有令牌: 你可以使用以下命令查看当前有效的令牌:

    1
    kubeadm token list
  2. 删除过期令牌: 如果有需要,可以删除过期或不再使用的令牌:

    1
    kubeadm token delete <token-id>

部署dashboard

1
kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.3.1/aio/deploy/recommended.yaml

recommended.yaml

可以通过下面命令查看dashboard启动情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@master ~]# kubectl get pod -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system calico-kube-controllers-577f77cb5c-gmhpd 1/1 Running 1 146m
kube-system calico-node-bm67j 1/1 Running 1 129m
kube-system calico-node-h55js 1/1 Running 1 146m
kube-system calico-node-j8x6m 1/1 Running 1 129m
kube-system coredns-5897cd56c4-gd2qj 1/1 Running 1 3h4m
kube-system coredns-5897cd56c4-ltk4h 1/1 Running 1 3h4m
kube-system etcd-master 1/1 Running 1 3h4m
kube-system kube-apiserver-master 1/1 Running 1 3h4m
kube-system kube-controller-manager-master 1/1 Running 1 3h4m
kube-system kube-proxy-72hqs 1/1 Running 1 3h4m
kube-system kube-proxy-dw6z2 1/1 Running 1 129m
kube-system kube-proxy-xlxqj 1/1 Running 1 129m
kube-system kube-scheduler-master 1/1 Running 1 3h4m
kubernetes-dashboard dashboard-metrics-scraper-79c5968bdc-nkbtb 1/1 Running 0 37m
kubernetes-dashboard kubernetes-dashboard-658485d5c7-v9mll 1/1 Running 0 37m

知道NAMESPACE之后,设置访问端口

1
kubectl edit svc kubernetes-dashboard -n kubernetes-dashboard

type: ClusterIP 改为 type: NodePort

查找访问端口

1
2
3
4
5
[root@master ~]# kubectl get svc -A |grep kubernetes-dashboard
kubernetes-dashboard dashboard-metrics-scraper ClusterIP 10.96.11.165 <none> 8000/TCP 39m
kubernetes-dashboard kubernetes-dashboard NodePort 10.96.158.40 <none> 443:31718/TCP 39m

## 找到端口,在安全组放行,这里31718端口就是要访问的端口

不安全问题

无论是在谷歌浏览器还是edge浏览器都会出现这个,而且没得点进去好吧!这个时候可以在键盘输入thisisunsafe这个命令,页面自动给你跳转进去,非常神奇。

image-20240530160924513

输入那个命令就跳转这个了

image-20240530160635753

创建访问账号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#创建访问账号,准备一个yaml文件; nano dash-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: kubernetes-dashboard
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: admin-user
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard

执行命令

1
kubectl apply -f dash-user.yaml

令牌访问

1
2
#获取访问令牌
kubectl -n kubernetes-dashboard get secret $(kubectl -n kubernetes-dashboard get sa/admin-user -o jsonpath="{.secrets[0].name}") -o go-template="{{.data.token | base64decode}}"
1
eyJhbGciOiJSUzI1NiIsImtpZCI6IjRoa3k4djFzNUp4eENjN0Y0aXBybHNNaTFQd3hVM09HWGhLU24ycE9DMkkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXRva2VuLTl4c3ZnIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImFkbWluLXVzZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJhODI0YmQxYS1jNjc4LTQzYmUtODhkOC0wYTkxNDhjZjhmYTgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZXJuZXRlcy1kYXNoYm9hcmQ6YWRtaW4tdXNlciJ9.EaVJeEKLHTr_Oh05GkUTzuwYKdOQfa8slgz-RzRZfE9ow8wmU7JbWNOR5YMT9bhb_sYi5LTjtvcgPqM6szCOGzW1mc0sPurRorkCaxgLW-K61PPGfPmB54HJvBCG-Cp65vAM4AyKCEPVj-cNMgncpyxe9yuik4z69mwt632Idb1Lcdhf5Vut_1LmGQMc1osRqAF4jVcFy-uPRv4CE2RBR1PL_GXEDHsS4KQjttVyUWwf2lqJ0ZefWvjMUCVazXeQI16QHLRTiXBdpg_iOwk8lXsHvV_I4ZdhClZr8FxTa9Cg5-njG9iGvgmZ2mkvZnM2c_dzlh5y98cAKRaRR0HbaA

把得到的令牌粘贴到token里面

image-20240530163317280

命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 随机一个机子拉取nginx
kubectl run mynginx --image=nginx
# 查看default名称空间的Pod
kubectl get pod
# 描述
kubectl describe pod 你自己的Pod名字
# 删除
kubectl delete pod 你自己的Pod名字
# 查看Pod的运行日志
kubectl logs Pod名字
# 每个Pod - k8s都会分配一个ip
kubectl get pod -owide
# 使用Pod的ip+pod里面运行容器的端口
curl 192.168.169.136
# 集群中的任意一个机器以及任意的应用都能通过Pod分配的ip来访问这个Pod

test

nginx.yaml

1
2
3
4
5
6
7
8
9
10
11
apiVersion: v1
kind: Pod
metadata:
labels:
run: mynginx
name: mynginx
# namespace: default
spec:
containers:
- image: nginx
name: mynginx

myapp.yaml

1
2
3
4
5
6
7
8
9
10
11
12
apiVersion: v1
kind: Pod
metadata:
labels:
run: myapp
name: myapp
spec:
containers:
- image: nginx
name: nginx
- image: tomcat:8.5.68
name: tomcat

这里我的raspberry外接了一个网卡eth1,这个eth1直接连接路由器获取互联网络,raspberry自己有一个eth0这个网卡用来接电脑,它(eth0)将运行dhcp服务下发ip给电脑,这样我们的电脑就能拥有网络。你会问我为啥要脱裤子放屁,因为这个eth1网卡可以是通过手机usb共享出来的网络(eth1可以当成手机usb共享的网卡,到时不叫这个名字,这里为了好记忆还是这么叫),我设计这个的目的就是让手机共享网络给树莓派,然后通过树莓派的lan口(eth0)下发局域网给路由器的wan口,路由器会自己再生成一个局域网下发lan口和wifi,设备连wifi和连路由器的lan都在一个局域网内。

换源

  • 清华源bookworm
1
2
3
4
5
6
7
8
9
10
11
cat >/etc/apt/sources.list<<EOF
# 清华源
deb https://mirrors4.tuna.tsinghua.edu.cn/debian/ bookworm main contrib non-free non-free-firmware
#deb-src https://mirrors4.tuna.tsinghua.edu.cn/debian/ bookworm main contrib non-free non-free-firmware
deb https://mirrors4.tuna.tsinghua.edu.cn/debian/ bookworm-updates main contrib non-free non-free-firmware
#deb-src https://mirrors4.tuna.tsinghua.edu.cn/debian/ bookworm-updates main contrib non-free non-free-firmware
deb https://mirrors4.tuna.tsinghua.edu.cn/debian/ bookworm-backports main contrib non-free non-free-firmware
#deb-src https://mirrors4.tuna.tsinghua.edu.cn/debian/ bookworm-backports main contrib non-free non-free-firmware
deb https://mirrors4.tuna.tsinghua.edu.cn/debian-security bookworm-security main contrib non-free non-free-firmware
#deb-src https://mirrors4.tuna.tsinghua.edu.cn/debian-security bookworm-security main contrib non-free non-free-firmware
EOF

更新系统

1
apt update -y && apt upgrade -y

eth0处于up状态

这地方很重要!先让网卡起来,然后拥有一个网段的ip(因为我的eth0在192.168.1.0/24这个网段,所以我可以设置除这个网段外的192.168.10.0/24),这个ip将充当网关中转流量也是DHCP服务器。

1
2
sudo ip link set eth0 up
sudo ip addr add 192.168.10.1/24 dev eth0

dhcp服务器安装和设置

1
apt-get install -y isc-dhcp-server

编辑/etc/default/isc-dhcp-server ,在里面改INTERFACESv4=“eth0”就行了

1
vim /etc/default/isc-dhcp-server 

修改dhcpd.conf

1
vim /etc/dhcp/dhcpd.conf 

看我的配置!这里设计了树莓派的lan口下发的ip范围,但你懂得,树莓派就一个lan口,还是自带的,所以只有一个ip就是192.168.10.1,下发的ip是给路由器或者电脑一个设备端使用,这里我就把范围调大了,可以按照自己喜欢调小

1
2
3
4
5
6
subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.100 192.168.10.200;
option routers 192.168.10.1;
option subnet-mask 255.255.255.0;
option domain-name-servers 8.8.8.8, 8.8.4.4;
}

设置ipv4流量中转

1
sudo vim /etc/sysctl.conf
1
2
# 添加net.ipv4.ip_forward=1
net.ipv4.ip_forward=1

配置载入

1
sudo sysctl -p

防火墙流量放行

1
sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE    # 注意!这个网卡是连接以太网的网卡,不是连接你电脑那个网卡!!!这个网卡是连接外部互联网的网卡,这么理解会不会好点呢!

如果没iptables需要安装

1
sudo apt-get install -y iptables iptables-persistent

保存iptables配置

1
sudo netfilter-persistent save

dhcp服务!启动!

1
sudo systemctl restart isc-dhcp-server

使用过程报错

  • 如果使用过程中是手机usb共享网络的记得要重新获取一下设备ip,我的是华为nova7就是要这样弄的,不然没有网络

  • 如果用的是以太网自动下发的ip地址,就不会出现上述问题