人懒, 废话不多.
rancher官网针对性太强了. 基本上都是要求rke部署的k8s群集, 承认rancher dashboard还不错, 可以提高开发效率. 但是rke是屎, rke是屎, rke是屎, 重要的事情说三遍.
官网上用helm部署ha的方案测试验证了多次, 均告失败, 实在是不想用docker方案. 所以基于官网的docker方案改写了k8syaml, 用于快速部署rancher, 上文件:
vi ./rancher.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: proxy-clusterrole-kubeapiserver
rules:
- apiGroups: [""]
resources:
- nodes/metrics
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
verbs: ["get", "list", "watch", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: proxy-role-binding-kubernetes-master
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: proxy-clusterrole-kubeapiserver
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kube-apiserver
---
apiVersion: v1
kind: Namespace
metadata:
name: cattle-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cattle
namespace: cattle-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cattle-admin-binding
namespace: cattle-system
labels:
cattle.io/creator: "norman"
subjects:
- kind: ServiceAccount
name: cattle
namespace: cattle-system
roleRef:
kind: ClusterRole
name: cattle-admin
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Secret
metadata:
name: cattle-credentials-2d27727
namespace: cattle-system
type: Opaque
data:
url: "aHR0cHM6Ly8xMC4xOC4zMi4yNTozMDQ0Mw=="
token: "ZnZyc2JkN2JmdGJ4dmhncWNqbDRyamd4dGg0Z2tiZjljZHh4cXZ4aHB4ejVieGNkbnZoenBw"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cattle-admin
labels:
cattle.io/creator: "norman"
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: rancher
namespace: cattle-system
labels:
app: rancher
spec:
replicas: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
selector:
matchLabels:
app: rancher
template:
metadata:
labels:
app: rancher
spec:
containers:
- name: rancher
image: rancher/rancher:stable
imagePullPolicy: Always
env:
- name: AUDIT_LEVEL
value: "3"
- name: CATTLE_SYSTEM_CATALOG
value: "bundled"
ports:
- containerPort: 80
name: http
- containerPort: 443
name: https
readinessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 20
periodSeconds: 10
livenessProbe:
tcpSocket:
port: 80
initialDelaySeconds: 600
periodSeconds: 20
serviceAccountName: cattle
---
apiVersion: v1
kind: Service
metadata:
name: rancher
namespace: cattle-system
spec:
ports:
- port: 80
name: http
protocol: TCP
nodePort: 30080
- port: 443
name: https
protocol: TCP
nodePort: 30443
sessionAffinity: ClientIP
externalTrafficPolicy: Cluster
sessionAffinityConfig:
clientIP:
timeoutSeconds: 10800
type: NodePort
selector:
app: rancher简单描述过程:
创建cattle-system 命名空间
创建一个cattle-admin用户授权从请求kube-api服务器, 然后返回etcd里的key value(群集的相关信息, node节点啊, 节点状态啊什么的).
创建授权机制, rancher分配权限给普通用户.(type: Opaque)
部署rancher(20秒检查80端口就绪, 懒得写了, 443也就没写检查. 不过80端口都起不来, 443端口凭什么起得来?)使用的serviceaccount是cattle这个sa不理解的可以自己去试试kubectl get sa -n kube-system
创建rancher的服务30080/30443 nodeport, 这里设置了externalTrafficPolicy: Cluster, 保证所有节点(包括master 都会启动这两个端口, 这样不怕rancher pod迁移.)从任意一个节点的30080端口会自动跳转到rancher部署的node节点对应的30080端口. 再从30080端口url rewrite到30443端口.
6. kubectl apply -f rancher.yaml && kubectl get pod -n cattle-system -w 等待名为rancher的pod就绪.
7. 打开浏览器建议firefox, google的浏览器安全很麻烦. 自签名证书可能出现未知问题.
Enjoy!
来源:oschina
链接:https://my.oschina.net/u/4342169/blog/3219187