目录
一、Rancher部署
1、介绍
一个开源的企业级容器管理平台。通过Rancher,企业再也不必自己使用一系列的开源软件去从头搭建容器服务平台。Rancher提供了在生产环境中使用的管理Docker和Kubernetes的全栈化容器部署与管理平台。
帮助用户不需要深入了解kubernetes概念就可以使用rancher
起步于美国硅谷,近年逐步发力中国市场。现已被suse收购
2、安装
版本选型:
本文档使用v2.5.2版本,v2.x的版本,安装配置过程都是相似的。
直接使用rancher官方镜像启动:
$ docker run -d --privileged --name rancher --restart=unless-stopped -p 8080:80 -p 8443:443 -v /opt/rancher/:/var/lib/rancher/ rancher/rancher:v2.5.2
等待服务启动后,提供主机的https://<host-ip>:8443
即可访问rancher管理界面,第一次访问需要重装管理员密码。
内部使用自家的k3s启动了内部集群,容器层面直接使用的containerd来管理镜像及容器。
$ docker exec -ti rancher bash # kubectl get no # kubectl get po -A
二、Rancher基本配置
1、登陆
设置密码,登录成功,右下角设置语言
2、添加集群
$ curl --insecure -sfL https://192.168.0.121:8443/v3/import/pwqlqcwlpsjs7pxcvkkswjlfj59lpd4dsr46q5cdqz2frmrf5hd7tt.yaml | kubectl apply -f -
要是下载不下来,浏览器访问url手动复制下
[root@k8s-master rancher]# cat rancher-all.yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: proxy-clusterrole-kubeapiserver
rules:
- apiGroups: [""]
resources:
- nodes/metrics
- nodes/proxy
- nodes/stats
- nodes/log
- nodes/spec
verbs: ["get", "list", "watch", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: proxy-role-binding-kubernetes-master
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: proxy-clusterrole-kubeapiserver
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kube-apiserver
---
apiVersion: v1
kind: Namespace
metadata:
name: cattle-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: cattle
namespace: cattle-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cattle-admin-binding
namespace: cattle-system
labels:
cattle.io/creator: "norman"
subjects:
- kind: ServiceAccount
name: cattle
namespace: cattle-system
roleRef:
kind: ClusterRole
name: cattle-admin
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Secret
metadata:
name: cattle-credentials-d310755
namespace: cattle-system
type: Opaque
data:
url: "aHR0cHM6Ly8xOTIuMTY4LjAuMTIxOjg0NDM="
token: "cHdxbHFjd2xwc2pzN3B4Y3Zra3N3amxmajU5bHBkNGRzcjQ2cTVjZHF6MmZybXJmNWhkN3R0"
namespace: ""
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cattle-admin
labels:
cattle.io/creator: "norman"
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cattle-cluster-agent
namespace: cattle-system
spec:
selector:
matchLabels:
app: cattle-cluster-agent
template:
metadata:
labels:
app: cattle-cluster-agent
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: beta.kubernetes.io/os
operator: NotIn
values:
- windows
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
preference:
matchExpressions:
- key: node-role.kubernetes.io/controlplane
operator: In
values:
- "true"
- weight: 1
preference:
matchExpressions:
- key: node-role.kubernetes.io/etcd
operator: In
values:
- "true"
serviceAccountName: cattle
tolerations:
- operator: Exists
containers:
- name: cluster-register
imagePullPolicy: IfNotPresent
env:
- name: CATTLE_FEATURES
value: ""
- name: CATTLE_IS_RKE
value: "false"
- name: CATTLE_SERVER
value: "https://192.168.0.121:8443"
- name: CATTLE_CA_CHECKSUM
value: "bdd2bef611a347f4c6a3a031f39e4326bdd46444de330126b1d8f1eba7f72181"
- name: CATTLE_CLUSTER
value: "true"
- name: CATTLE_K8S_MANAGED
value: "true"
image: rancher/rancher-agent:v2.5.2
volumeMounts:
- name: cattle-credentials
mountPath: /cattle-credentials
readOnly: true
readinessProbe:
initialDelaySeconds: 2
periodSeconds: 5
httpGet:
path: /health
port: 8080
volumes:
- name: cattle-credentials
secret:
secretName: cattle-credentials-d310755
defaultMode: 320
---
集群添加完成后查看容器状态:
[root@k8s-master rancher]# kubectl get po -n cattle-system
NAME READY STATUS RESTARTS AGE
cattle-cluster-agent-5ffd88dd8c-42jjl 1/1 Running 0 38m
3、基本使用
几个概念
集群
rancher可以管理多个k8s集群,集群可以通过新建以及导入的方式纳入rancher的管控
初始化会将内置k3s部署的集群接入,名为
local
项目
集群下的逻辑概念,一个集群可以包含多个项目,一个项目下可以包含多个命名空间。
初始化会为接入的每个集群创建两个项目:
Default:对应集群的default命名空间
System:对应系统级别的命名空间,包含
kube-system
、kube-public
、cattle-system
、ingress-nginx
等命名空间
对应k8s的命名空间概念,可以直接新建或者将命名空间移动到已有的项目中
权限管理
rancher支持本地用户以及与LDAP账户对接,用户的权限是基于项目赋予的。