人懒, 废话不多.
rancher官网针对性太强了. 基本上都是要求rke部署的k8s群集, 承认rancher dashboard还不错, 可以提高开发效率. 但是rke是屎, rke是屎, rke是屎, 重要的事情说三遍.
官网上用helm部署ha的方案测试验证了多次, 均告失败, 实在是不想用docker方案. 所以基于官网的docker方案改写了k8syaml, 用于快速部署rancher, 上文件:
vi ./rancher.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: proxy-clusterrole-kubeapiserver rules: - apiGroups: [""] resources: - nodes/metrics - nodes/proxy - nodes/stats - nodes/log - nodes/spec verbs: ["get", "list", "watch", "create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: proxy-role-binding-kubernetes-master roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: proxy-clusterrole-kubeapiserver subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: kube-apiserver --- apiVersion: v1 kind: Namespace metadata: name: cattle-system --- apiVersion: v1 kind: ServiceAccount metadata: name: cattle namespace: cattle-system --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: cattle-admin-binding namespace: cattle-system labels: cattle.io/creator: "norman" subjects: - kind: ServiceAccount name: cattle namespace: cattle-system roleRef: kind: ClusterRole name: cattle-admin apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: Secret metadata: name: cattle-credentials-2d27727 namespace: cattle-system type: Opaque data: url: "aHR0cHM6Ly8xMC4xOC4zMi4yNTozMDQ0Mw==" token: "ZnZyc2JkN2JmdGJ4dmhncWNqbDRyamd4dGg0Z2tiZjljZHh4cXZ4aHB4ejVieGNkbnZoenBw" --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cattle-admin labels: cattle.io/creator: "norman" rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*' --- kind: Deployment apiVersion: apps/v1 metadata: name: rancher namespace: cattle-system labels: app: rancher spec: replicas: 1 strategy: type: RollingUpdate rollingUpdate: maxSurge: 1 maxUnavailable: 1 selector: matchLabels: app: rancher template: metadata: labels: app: rancher spec: containers: - name: rancher image: rancher/rancher:stable imagePullPolicy: Always env: - name: AUDIT_LEVEL value: "3" - name: CATTLE_SYSTEM_CATALOG value: "bundled" ports: - containerPort: 80 name: http - containerPort: 443 name: https readinessProbe: tcpSocket: port: 80 initialDelaySeconds: 20 periodSeconds: 10 livenessProbe: tcpSocket: port: 80 initialDelaySeconds: 600 periodSeconds: 20 serviceAccountName: cattle --- apiVersion: v1 kind: Service metadata: name: rancher namespace: cattle-system spec: ports: - port: 80 name: http protocol: TCP nodePort: 30080 - port: 443 name: https protocol: TCP nodePort: 30443 sessionAffinity: ClientIP externalTrafficPolicy: Cluster sessionAffinityConfig: clientIP: timeoutSeconds: 10800 type: NodePort selector: app: rancher
简单描述过程:
创建cattle-system 命名空间
创建一个cattle-admin用户授权从请求kube-api服务器, 然后返回etcd里的key value(群集的相关信息, node节点啊, 节点状态啊什么的).
创建授权机制, rancher分配权限给普通用户.(type: Opaque)
部署rancher(20秒检查80端口就绪, 懒得写了, 443也就没写检查. 不过80端口都起不来, 443端口凭什么起得来?)使用的serviceaccount是cattle这个sa不理解的可以自己去试试kubectl get sa -n kube-system
创建rancher的服务30080/30443 nodeport, 这里设置了externalTrafficPolicy: Cluster, 保证所有节点(包括master 都会启动这两个端口, 这样不怕rancher pod迁移.)从任意一个节点的30080端口会自动跳转到rancher部署的node节点对应的30080端口. 再从30080端口url rewrite到30443端口.
6. kubectl apply -f rancher.yaml && kubectl get pod -n cattle-system -w 等待名为rancher的pod就绪.
7. 打开浏览器建议firefox, google的浏览器安全很麻烦. 自签名证书可能出现未知问题.
Enjoy!