Shulou(Shulou.com)06/02 Report--

Introduction to kubernetes

Kubernetes, referred to as K8s, is an open source, used to manage containerized applications on multiple hosts in the cloud platform. The goal of Kubernetes is to make the deployment of containerized applications simple and efficient (powerful). Kubernetes provides a mechanism for application deployment, planning, updating, and maintenance.

Advantages:

The traditional way of application deployment is to install the application through plug-ins or scripts. The disadvantage of this is that the operation, configuration, management and all lifecycles of the application will be bound to the current operating system, which is not conducive to the upgrade, update / rollback of the application. Of course, some functions can also be achieved by creating a virtual machine, but the virtual machine is very heavy and is not conducive to portability.

The new way is to deploy containers, each container is isolated from each other, each container has its own file system, the processes between containers will not affect each other, and computing resources can be distinguished. Compared with virtual machines, containers can be deployed quickly. Because containers are decoupled from underlying facilities and machine file systems, they can be migrated between different clouds and different versions of operating systems.

Containers take up less resources and deploy quickly, and each application can be packaged into a container image. The one-to-one relationship between each application and the container also gives the container a greater advantage. Using containers can create container images for applications at the build or release stage, because each application does not need to be combined with the rest of the application stack, nor does it rely on the infrastructure of the production environment, which makes it possible to provide a consistent environment from research and development to testing and production. Similarly, containers are lighter and more "transparent" than virtual machines, which is easier to monitor and manage.

▪ Master components

▪ Node (Node) component

Kubernetes is an open source container orchestration engine for Google, which supports automated deployment, large-scale scalability, and application containerization management. When deploying an application in a production environment, multiple instances of the application are usually deployed to load balance application requests.

In Kubernetes, we can create multiple containers and run an application instance in each container, and then manage, discover and access this group of application instances through the built-in load balancing policy, and these details do not need to be manually configured and processed by operation and maintenance personnel.

Characteristics of Kubernetes

Portable: supports public cloud, private cloud, hybrid cloud, multiple cloud (multi-cloud)

Extensible: modular, plug-in, mountable, combinable

Automation: automatic deployment, automatic restart, automatic replication, automatic scaling / expansion

Master component

1.1kube-apiserver

1.2ETCD

1.3kube-controller-manager

1.4cloud-controller-manager

1.5kube-scheduler

1.6 plug-in addons

1.6.1DNS

1.6.2 user interface

1.6.3 Container Resource Monitoring

1.6.4Cluster-level Logging

Node (Node) component

2.1kubelet

2.2kube-proxy

2.3docker

2.4RKT

2.5supervisord

2.6fluentd

Master component

The Master component provides a management control center for the cluster. The Master component can run on any node in the cluster. But for simplicity, it is common to start all Master components on one VM/ machine, and the user container is not run on that VM/ machine. Refer to Building multi-master-VM since you built a highly available cluster.

Kube-apiserver

Kube-apiserver is used to expose Kubernetes API. Any resource request / invocation operation is done through the interface provided by kube-apiserver. See Building a highly available cluster.

ETCD

Etcd is the default storage system provided by Kubernetes, which stores all cluster data and needs to provide a backup plan for etcd data.

Kube-controller-manager

The kube-controller-manager runs the management controller, which is the background thread that handles regular tasks in the cluster. Logically, each controller is a separate process, but to reduce complexity, they are compiled into a single binary and run in a single process.

These controllers include:

Node (Node) controller.

Replication controller: responsible for maintaining the pod in each replica in the system.

Endpoint (Endpoints) controller: populates the Endpoints object (that is, connected Services&Pods).

Service Account and Token controllers: create a default account to access the API Token for the new Namespace.

Cloud-controller-manager

The Cloud Controller Manager is responsible for platform interaction with the underlying cloud provider. Cloud Controller Manager was introduced in Kubernetes version 1.6 and is currently a feature of Alpha.

The Cloud Controller Manager only runs a cloud provider specific (controller loops) controller loop. You can disable the controller loop by setting-- cloud-providerflag to external to start kube-controller-manager.

Specific functions of cloud-controller-manager:

Node (Node) controller

Routing (Route) controller

Service controller

Volume (Volume) controller

Kube-scheduler

Kube-scheduler monitors the newly created Pod that is not assigned to the Node and selects a Node for the Pod.

Plug-in addons

Plug-ins (addon) implement cluster pod and Services functions. Pod is managed by Deployments,ReplicationController and others. The Namespace plug-in object is created in kube-system Namespace.

DNS

Although plug-ins are not strictly required, Kubernetes clusters should have cluster DNS.

The cluster DNS is a DNS server that provides DNS records for Kubernetes services.

Containers started by Kubernetes automatically include this DNS server in their DNS searches.

User interface

Kube-ui provides basic information about cluster status.

Container resource monitoring

Container resource monitoring provides a UI to browse monitoring data.

Cluster-level Logging

Cluster-level logging, responsible for saving container logs, searching / viewing logs.

Node (Node) component

Node components run on Node, provide a Kubernetes runtime environment, and maintain Pod.

Kubelet

Kubelet is the primary node agent that monitors the pod that has been assigned to the node, with specific functions:

Install the volume required for Pod.

Download the Secrets for Pod.

The docker (or experimentally,rkt) container running in Pod.

Perform container health check regularly.

Reports the status of the pod back to the rest of the system, by creating amirror podif necessary.

Reports the status of the node back to the rest of the system.

Kube-proxy

Kube-proxy implements Kubernetes service abstraction by maintaining network rules on the host and performing connection forwarding.

Docker

Docker is used to run the container.

RKT

Rkt runs the container as an alternative to the docker tool.

Supervisord

Supervisord is a lightweight monitoring system used to ensure the operation of kubelet and docker.

Fluentd

Fluentd is a daemon that provides cluster-level logging.

Cluster environment:

System centos7

Master 、 node

-(pre-commissioning is operated in each unit)-

Set the hostnames of the three machines:

Execution on master: hostnamectl-- execution on static set-hostname k8s-masternode1: execution on hostnamectl-- execution on static set-hostname k8s-node-1node2: hostnamectl-- static set-hostname k8s-node-2

Modify the mutual interpretation of each hosts file:

Cat > / etc/hosts 192.168.180.128 k8s-master192.168.180.133 k8s-node-1EOF

Turn off the firewall and selinux

Systemctl stop firewalld & systemctl disable firewalld & & setenforce 0setenforce 0 sed-I's / ^ SELINUX = enforcing$/SELINUX=permissive/' / etc/selinux/config

Enable linux routing forwarding function

Echo "1" > / proc/sys/net/ipv4/ip_forward

Set up ssh to enable mutual trust between servers

Mkdir ~ / .sshssh-keygen-t rsassh-copy-id-I ~ / .ssh/id_rsa.pub user@server

Kubernetes cluster components (to be configured)

-etcd: a highly available storage and service discovery system for the key V key pair

-flannel: achieve communication across host container networks

-kube-apiserver: provides api calls for kubernetes clusters

-kube-controller-manager: ensure the cluster service

-kube-scheduler scheduling container: assigned to node

-kubelet: launch the container on the node node according to the container specifications defined in the configuration file

-kube-proxy provides network proxy service

Download dependency packages-lvm2-docker, etc.

Yum update-y & & yum- y install yum-utils device-mapper-persistent-data lvm2 yum-config-manager-enable docker-ce-nightlyyum-config-manager-enable docker-ce-test

Add an official yum library

Sudo yum-config-manager\-- add-repo\ https://download.docker.com/linux/centos/docker-ce.repo

Install docker

Sudo yum install docker-ce docker-ce-cli containerd.iosystemctl enable docker & & systemctl start dockeryum-config-manager-enable docker-ce-nightlyyum-config-manager-enable docker-ce-test

Or use the script to install with one click

Curl-fsSL "https://get.docker.com/" | shsystemctl enable-- now docker

Modify the docker cgroup driver, consistent with K8s, and use systemd to modify the docker cgroup driver:

Native.cgroupdriver=systemdcat > / etc/docker/daemon.json > kubecfg.key

Generate p12 certificate, enter the password directly according to the requirements, do not enter the password randomly, and then use it when importing it to the browser.

Openssl pkcs12-export-clcerts-inkey kubecfg.key-in kubecfg.crt-out kubecfg.p12-name "kubernetes-client"

After running, there will be a kubecfg.p12 certificate file in the current directory. Transfer the kubecfg.p12 certificate file to the desktop, and you can send the file to the desktop by installing yum install lrzsz.

[root@master1] ~ $sz kubecfg.p12

Import a certificate into a chrome browser

Click browser: menu-Settings-Advanced-manage certificates

Select the "personal" column (for chrome71 and above, below 71 is not sure if the line is OK), and then click Import kubecfg.p12.

All the remaining steps are defaulted by default. After completion, they are as follows:

Restart the browser after the import is successful

Chrome://restart

Note: use the link below to change ip and port access and access again

Https://192.168.255.140:8443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

A certificate information dialog box similar to the following will pop up, and click OK.

After clicking OK, the following interface appears

Select login method

Kubeconfig, token, username and password, direct access, do not use any login, use token login, full access to resources, first create an account, then create a clusterroles with full permissions, and bind the two with clusterrolebinding.

When you install the yaml file, you have created a service account called kubernetes-dashboard to view the details

[root@master2] ~ $kubectl describe serviceaccount/kubernetes-dashboard-n kube-systemName: kubernetes-dashboardNamespace: kube-systemLabels: k8s-app=kubernetes-dashboardAnnotations: Image pull secrets: Mountable secrets: kubernetes-dashboard-token-jwld4Tokens: kubernetes-dashboard-token-jwld4Events:

After the kubernetes cluster is installed, it will automatically generate some clusterroles cluster permission objects. You can use the following command to see which objects are available.

[root@master2] ~ $kubectl get clusterrolesNAME AGEadmin 4h31mcluster-admin 4h31medit 4h31mflannel 3h68msystem:aggregate-to-admin 4h31msystem:aggregate-to-edit 4h31m

For example, the cluster administrator, let's take a look at it in detail. The * sign indicates that you have all permissions on all resources.

[root@master2] ~ $kubectl describe clusterroles/cluster-adminName: cluster-adminLabels: kubernetes.io/bootstrapping=rbac-defaultsAnnotations: rbac.authorization.kubernetes.io/autoupdate: truePolicyRule: Resources Non-Resource URLs Resource Names Verbs-*. [] [] [*]

Users and permissions are available. Bind them together.

Bind the kubernetes-dashboard service account to the cluster administrator privileges object cluster-admin.

# # 13. Create a yaml file, vim dashboard.yaml, with the following contents

ApiVersion: rbac.authorization.k8s.io/v1beta1kind: ClusterRoleBindingmetadata: name: kubernetes-dashboard labels: k8s-app: kubernetes-dashboardroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-adminsubjects:- kind: ServiceAccount name: kubernetes-dashboard namespace: kube-system

Execution

[root@master2] ~ $kubectl create-f dashboard.yaml

Check to see if the creation is successful

[root@master2] ~ $kubectl get clusterrolebindings kubernetes-dashboardNAME AGEkubernetes-dashboard 88s

Find the token of the kubernetes-dashboard account and write down this string of token, which will be used when logging in. This token is permanent by default.

Kubectl-n kube-system describe secret $(kubectl-n kube-system get secret | grep kubernetes-dashboard-token | awk'{print $1}') Name: kubernetes-dashboard-token-jwld4Namespace: kube-systemLabels: Annotations: kubernetes.io/service-account.name: kubernetes-dashboard kubernetes.io/service-account.uid: a2ced45f-8b61-11e9-b98f-0050563ff983Type: kubernetes.io/service-account-tokenDatanamespace: 11 bytestoken: eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZC10b2tlbi1qd2xkNCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJrdWJlcm5ldGVzLWRhc2hib2FyZCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImEyY2VkNDVmLThiNjEtMTFlOS1iOThmLTAwNTA1NjNmZjk4MyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTprdWJlcm5ldGVzLWRhc2hib2FyZCJ9 .VzsWE80t7AEMB891rxBKJVMxwt5DtuzA23 _-SLxxQcjpaB80LBfB09WqUSe6G6vrkRdpMQ3wDLA2SIFCQVAapAHl-J45NuPyhxh8A-DNpfGpEk3uxFqXkn5WXYasbeCIcHw6TII27PTwG6wgS_q1qEbOf4LYJHjExdqypIqAj__F2RRGTqER378qVvJrHJndL5M6W2PhINazLOEqezxKxDRBigMFU7luOYvWCxSPFhjSd3LrsMfWwSRY-Jq5-tUEhsI7uU7Yyb3UIDDiXex-8Mwbida_TgpcIZi6BaEclPygSSfq1a177r97hnxcdv02X9ooOghztSGKM-1bDBWhNgca.crt: 1025 bytes

Visit dashboard again. Enter token to log in and the interface is as follows

At this point, the principal who accesses the dashboard is the kubernetes-dashboard service account, which has all the permissions to use all the resources in the cluster.

It is very convenient to operate through web, as follows: to expand and scale up the capacity

The production environment should give different permissions to different people, customize the access to resources, log in with kubeconfig, and copy token every time, which will be troublesome.

1. Copy the config file to another place first

[root@master2] ~ $cp. Kube / config.

Then append a token with full access to the last line. Find out token first.

Kubectl-n kube-system describe secret $(kubectl-n kube-system get secret | grep admin-token | awk'{print $1}') | grep token | tail-1

Append to config, as follows

Users:- name: kubernetes-admin user: client-certificate-data: LS0tLS1CRUd.... Client-key-data: LS0tLS1CRUdJTiBSU. Token: eyJhbGciO... ...

Upload to the desktop and select login

Log in using username and password, which is not enabled by default.

Without this parameter, anonymous users are used by default, and the credentials provided cannot be checked for validity.

The reason is that Kubernetes needs to be configured

If you want to enable username and password authentication, you must configure the parameters-- authorization-mode=ABAC and and-- basic-auth-file in the deployment file of apiserver.

Then set authentication-mode = basic in the deployment file of dashboard. By default, it is set to-- authentication-mode = token.

Skip the login process and visit directly

Add parameter-enable-skip-login

Containers:-args:-auto-generate-certificates-enable-skip-login

Official documents:

Https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard-1.7.X-and-above

Https://github.com/kubernetes/dashboard/wiki/Creating-sample-user

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.