CentOS7 k3s安装与配置

环境搭建 评论

0 官方文档

https://docs.k3s.io/zh/quick-start

1 安装

1
2
3
curl -sfL https://get.k3s.io | sh -
# 或
curl -sfL https://rancher-mirror.oss-cn-beijing.aliyuncs.com/k3s/k3s-install.sh | INSTALL_K3S_MIRROR=cn sh -

INSTALL_K3S_VERSION:安装指定版本

1
curl -sfL https://rancher-mirror.oss-cn-beijing.aliyuncs.com/k3s/k3s-install.sh | INSTALL_K3S_VERSION=v1.26.9+k3s1 sh -

2 命令行支持tab自动补全

1
echo 'source <(kubectl completion bash)' >> ~/.bashrc

断开连接,再次连接,即可生效

如果报错:-bash: _get_comp_words_by_ref: command not found

安装bash-completion

1
2
3
yum -y install bash-completion

source /usr/share/bash-completion/bash_completion

3 验证

部署一个 nginx 进行测试

1
2
3
4
5
6
7
#部署nginx
kubectl create deployment nginx --image=nginx:1.18-alpine

#暴露端口
kubectl expose deployment nginx --port=80 --type=NodePort

kubectl get pod,svc

防火墙放行对应端口即可

1
2
3
4
5
6
7
systemctl status firewalld

firewall-cmd --list-ports

firewall-cmd --zone=public --add-port={NodePort}/tcp --permanent

firewall-cmd --reload

4 获取真实IP

参考:https://blog.csdn.net/easylife206/article/details/111243763

4.1 NortPort 方式

service发布为NortPort,同时修改externalTrafficPolicyLocal

1
kubectl patch svc myservice  -p '{"spec":{"externalTrafficPolicy":"Local"}}'

4.2 Ingress 方式

在k3s中,设置traefik的externalTrafficPolicyLocal,此时service就可以不做处理了,也可以不用发布为NortPort(域名访问时)

1
kubectl -n kube-system patch svc traefik  -p '{"spec":{"externalTrafficPolicy":"Local"}}'

5 cert-manager 颁发ssl证书

参考:https://blog.csdn.net/j610152753/article/details/127581375

5.1 准备

  • k8s(k3s)集群环境
  • 有效的域名(如果是国内云服务器还需要备案)
  • 一个可登录的邮箱

5.2 部署cert-manager

直接使用kubectl安装

1
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.1/cert-manager.yaml

运行如下命令可看到创建了3个pod,并STATUS为:Running

1
kubectl get pods --namespace cert-manager

5.3 配置ClusterIssuer

创建clusterIssuer.yml并部署

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: 【此处修改为邮箱】
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
      - http01:
          ingress:
            class: traefik
1
kubectl apply -f clusterIssuer.yml

5.4 测试

Deployment、Service正常创建即可,Ingress新增两处配置:metadata.annotationsspec.tls,例如:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: traefik
  labels:
    k8s.kuboard.cn/layer: web
    k8s.kuboard.cn/name: hexo-blog
  name: hexo-blog
  namespace: default
  resourceVersion: '232211'
spec:
  ingressClassName: traefik
  rules:
    - host: blog.extra.kangaroohy.com
      http:
        paths:
          - backend:
              service:
                name: hexo-blog
                port:
                  number: 80
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - blog.extra.kangaroohy.com
      secretName: hexo-blog-tls

6 自动跳转 https

6.1 创建Middleware

中间件的介绍和使用:https://blog.csdn.net/j610152753/article/details/127251204

vi redirect-https.yaml

1
2
3
4
5
6
7
8
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
spec:
  redirectScheme:
    scheme: https
    permanent: true

6.2 配置Ingress

添加注解traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd

default是Middleware所在的命名空间

redirect-https为Middleware的name

kangaroo生活在于不断的学习并记录。

别问 问就是一坤年的Javaer.