离线安装k3s(Air Gap Install)

k3s文档

中文文档:https://docs.rancher.cn/docs/k3s/_index

准备离线文件

https://github.com/k3s-io/k3s/releases下载以下文件:
* k3s-airgap-images-amd64.tar.zst
* k3s

https://rancher-mirror.rancher.cn/k3s/k3s-install.sh下载k3s-install.sh文件。

离线安装(Ubuntu 22.04)

  1. 将k3s-airgap-images-amd64.tar.zst文件上传到服务器的/var/lib/rancher/k3s/agent/images/目录下

    1
    2
    sudo mkdir -p /var/lib/rancher/k3s/agent/images/
    sudo cp k3s-airgap-images-amd64.tar.zst /var/lib/rancher/k3s/agent/images/
  2. 将k3s文件上传到服务器的/usr/local/bin/目录下

    1
    2
    sudo cp k3s /usr/local/bin/
    sudo chmod +x /usr/local/bin/k3s
  3. 将k3s-install.sh文件上传到服务器

  4. 执行安装脚本

    server1
    1
    2
    3
    4
    5
    chmod +x k3s-install.sh
    sudo INSTALL_K3S_SKIP_DOWNLOAD=true \
    INSTALL_K3S_EXEC='server --token=23f0fba79fc84fd5962279908c86d05e --cluster-init' \
    ./k3s-install.sh

    servern
    1
    2
    3
    4
    chmod +x k3s-install.sh
    sudo INSTALL_K3S_SKIP_DOWNLOAD=true \
    INSTALL_K3S_EXEC='server --token=23f0fba79fc84fd5962279908c86d05e --server https://server1:6443' \
    ./k3s-install.sh

让k3s使用私有镜像仓库

放一个registries.yaml文件进行配置

/etc/rancher/k3s/registries.yaml
1
2
3
4
mirrors:
docker.io:
endpoint:
- "http://registry.example.com:5000"

重启k3s

1
sudo systemctl restart k3s

挂载NAS

在阿里云控制台查看具体操作

helm安装(ubuntu 22.04)

1
2
3
4
5
6
7
cp /etc/rancher/k3s/k3s.yaml ~/.kube/config

sudo snap install helm --classic

helm repo add bitnami https://charts.bitnami.com/bitnami

helm repo list

helm3不再需要Tiller和helm init

使用Lens访问

https://k8slens.dev/下载Lens安装包,支持windows,需要通过XShell的隧道来打通网络。
在Lens的Clusters界面增加(右下角的大加号),选择菜单Add from kubeconfig,复制粘贴K3s的kubeconfig(/etc/rancher/k3s/k3s.yaml)即可。

使用Docker下载镜像再导入到k8s

Docker下载

1
docker save registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.9.2 -o kube-state-metrics-v2.9.2.tar

Docker导入

1
docker image load -i kube-state-metrics-v2.9.2.tar

k3s导入

1
2
k3s ctr image import kube-state-metrics-v2.9.2.tar
k3s ctr image ls|grep kube-state-metrics

注意:如果镜像的下载策略(imagePullPolicy)是Always,则始终会重新下载镜像,所以要使用导入的镜像,需要将镜像下载策略改为IfNotPresent

kube-prometheus

参考:https://github.com/prometheus-operator/kube-prometheus

1
2
3
4
5
6
7
8
9
kubectl apply --server-side -f manifests/setup
kubectl wait \
--for condition=Established \
--all CustomResourceDefinition \
--namespace=monitoring
kubectl apply -f manifests/

kubectl port-forward pod/grafana-748964b847-vtnk8 3000 3000 -n monitoring
默认账号密码: admin/admin

安装Docker(Ubuntu)

1
sudo apt install docker.io

配置镜像加速(阿里云)

1
2
3
4
5
6
7
8
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://??????.mirror.aliyuncs.com"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker

rancher(弃用)

Rancher安装后默认开启了一个内置的k3s集群,但是无法增加自建的k8s集群?或许只用k3s才是最简单的方式?毕竟Rancher带来了更多的复杂性和不可控性。

持久化存储(longhorn)

安装

1
2
3
wget https://raw.githubusercontent.com/longhorn/longhorn/v1.5.1/deploy/longhorn.yaml
kubectl apply -f longhorn.yaml
kubectl get sc

Dashboard

官方文档: accessing-the-ui

1
kubectl port-forward svc/longhorn-frontend 30080:80 -n longhorn-system

部署私有镜像仓库

启动私有镜像仓库

1
2
3
4
5
6
docker run -d\
-p 5000:5000\
--restart unless-stopped\
--name registry\
-v /mnt/registry-data:/var/lib/registry\
registry:latest

UI界面访问(joxit/docker-registry-ui)

大致找了一下,joxit/docker-registry-ui可以用(至少还在更新),github

docker-compose.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
version: '3.8'

services:
registry-ui:
image: joxit/docker-registry-ui:2.5.7
restart: unless-stopped
ports:
- 18080:80
environment:
- SINGLE_REGISTRY=true
- REGISTRY_TITLE=Docker Registry UI
- DELETE_IMAGES=true
- SHOW_CONTENT_DIGEST=true
- REGISTRY_URL=http://localhost:5000
- SHOW_CATALOG_NB_TAGS=true
- CATALOG_MIN_BRANCHES=1
- CATALOG_MAX_BRANCHES=1
- TAGLIST_PAGE_SIZE=100
- REGISTRY_SECURED=false
- CATALOG_ELEMENTS_LIMIT=1000
container_name: registry-ui
networks:
- registry-net

registry-server:
image: registry:2.8.2
restart: unless-stopped
ports:
- 5000:5000
environment:
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Origin: '[http://localhost:18080]'
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Methods: '[HEAD,GET,OPTIONS,DELETE]'
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Credentials: '[true]'
REGISTRY_HTTP_HEADERS_Access-Control-Allow-Headers: '[Authorization,Accept,Cache-Control]'
REGISTRY_HTTP_HEADERS_Access-Control-Expose-Headers: '[Docker-Content-Digest]'
REGISTRY_STORAGE_DELETE_ENABLED: 'true'
volumes:
- /your-path/registry-data:/var/lib/registry
container_name: registry-server
networks:
- registry-net
networks:
registry-net:
1
2
3
4
# 启动
docker-compose up -d
# 关闭
docker-compose down

避坑指南:如果是使用XShell这样的终端,可以通过XShell的隧道来从工作终端访问内网,但是需要把registry-server的5000端口,以及registry-ui的18080端口都映射到本地。

标记镜像并推送到私有仓库

1
2
docker tag registry:latest 127.0.0.1:5000/registry:v2.7.1
docker push 127.0.0.1:5000/registry:v2.7.1

用curl查看仓库中的镜像

1
2
3
4
5
# 查看仓库中镜像
curl -X GET 127.0.0.1:5000/v2/_catalog

# 查看某个具体镜像的tag
curl -X GET 127.0.0.1:5000/v2/image_name/tags/list

如果出现异常可以加-v或–verbose参数以详细模式运行curl,方便排查

从私有仓库拉取镜像

其他主机使用私有仓库镜像,则需要修改daemon.json文件,并使之生效:

1
2
3
4
5
6
7
8
9
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://your_id.mirror.aliyuncs.com"],
"insecure-registries": ["192.168.1.1:5000"]
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker

解决Docker镜像无法pull的问题

国外平台的Docker镜像无法下载时,可以通过DaoCloud的公开镜像加速来下载,即增加m.daocloud.io前缀。

参考: DaoCloud公开镜像加速

用helm安装zookeeper

搜索需要的版本:

1
helm search repo bitnami/zookeeper -l|grep 3.8

下载指定的版本(这个版本是helm的chart版本,不是zookeeper的版本):

1
helm fetch bitnami/zookeeper --version 11.4.11

解压下载的tgz文件,修改values.yaml进行定制化配置:

1
2
3
tar -zxvf zookeeper-11.4.11.tgz
cd zookeeper-11.4.11
vi values.yaml

修改values.yaml文件:

1
2
3
4
5
6
7
8
9
10
11
replicaCount: 3
...
persistence:
storageClass: longhorn
size: 2Gi
...
resources:
limits: {}
requests:
memory: 128Mi
cpu: 50m

安装及输出:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
helm install zookeeper .

NAME: zookeeper
LAST DEPLOYED: Tue Jul 30 13:17:31 2024
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
CHART NAME: zookeeper
CHART VERSION: 11.4.11
APP VERSION: 3.8.2

** Please be patient while the chart is being deployed **

ZooKeeper can be accessed via port 2181 on the following DNS name from within your cluster:

zookeeper.default.svc.cluster.local

To connect to your ZooKeeper server run the following commands:

export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=zookeeper,app.kubernetes.io/instance=zookeeper,app.kubernetes.io/component=zookeeper" -o jsonpath="{.items[0].metadata.name}")
kubectl exec -it $POD_NAME -- zkCli.sh

To connect to your ZooKeeper server from outside the cluster execute the following commands:

kubectl port-forward --namespace default svc/zookeeper 2181:2181 &
zkCli.sh 127.0.0.1:2181

查看zookeeper集群状态:

1
kubectl exec -it zookeeper-0 -- zkServer.sh status

安装dubbo-admin

参考:https://github.com/apache/dubbo-admin

Admin 控制台的最新稳定版本是0.5.0,貌似很久没更新了。
在kubernetes中安装,需要先调整一下dubbo-admin\kubernetes\dubbo-admin.yaml里的配置:

1
2
3
4
5
6
7
8
...
data:
application.properties: |-
admin.root.user.name: root
admin.root.user.password: root
...
admin.check.signSecret: adkfkdkd13413
...

注意:admin.check.signSecret默认是空,如果不填写,则无法登录。

部署:

1
kubectl apply -f dubbo-admin.yaml

端口转发:

1
kubectl port-forward -n default deployment/dubbo-admin 38080:8080

用浏览器访问:http://localhost:38080

将文件或者文件夹转换为ConfigMap

https://blog.csdn.net/m0_51964671/article/details/135480707
https://blog.csdn.net/lewyu521/article/details/139546315

1
2
3
$ kubectl create configmap testfile --from-file pods/

$ kubectl get configmaps testfile -oyaml

注意:从文件创建configmap时,建议把Windows(CR LF)格式的配置文件转换为Unix(LF)格式,这样输出为yaml文件时,才不会出现CR LF的转义符。

利用echo进行base64编码和解码

1
2
3
echo -n "admin:admin" | base64

echo -n "YWRtaW46YWRtaW4=" | base64 -d

Argo CD

安装:

1
2
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

访问:

1
2
3
4
5
6
#查看admin账号的默认密码
kubectl get secret argocd-initial-admin-secret -n argocd -oyaml
echo -n "..." | base64 -d

#端口转发后用浏览器访问:https://localhost:8443
kubectl port-forward svc/argocd-server -n argocd 8443:443

argocd的UI上配置仓库连接时,采用https和账号、密码的方式比较简单

安装CLI(需先从github下载argocd-linux-amd64):

1
2
sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
rm argocd-linux-amd64

使用CLI:

1
2
3
4
argocd login https://localhost:8443 --username admin --password ...

# 查看集群状态
argocd cluster list

HPA(Horizontal Pod Autoscaler)

先调整deployment的配置,主要是将replicas设置为1,并增加资源的请求和限制:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
apiVersion: apps/v1
kind: Deployment
metadata:
name: your-deployment-name
spec:
replicas: 1
selector:
matchLabels:
app: your-deployment-name
template:
metadata:
labels:
app: your-deployment-name
spec:
terminationGracePeriodSeconds: 60
containers:
- name: your-deployment-name
image: youre-image-name:v1.0.0
imagePullPolicy: IfNotPresent
resources:
requests:
memory: "2Gi"
cpu: "0.5"
limits:
memory: "3Gi"
cpu: "0.8"

之所以增加资源的requests和limits,是因为HPA的资源占用百分比计算,是以资源请求的值来计算的。如果不设置资源请求,则HPA就无法计算资源的占比,从而无法进行扩缩容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: your-deployment-name
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: your-deployment-name
minReplicas: 1
maxReplicas: 3
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 50 # 50%
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 100 # 100%
behavior:
# 缩容
scaleDown:
stabilizationWindowSeconds: 300 # 稳定窗口期,默认300s
policies:
- type: Pods
value: 1
periodSeconds: 15 # 检查周期,默认15s
# 扩容
scaleUp:
stabilizationWindowSeconds: 300
policies:
- type: Pods
value: 1
periodSeconds: 15

查看HPA的状态:

1
2
kubectl get hpa
kubectl describe hpa