Rancher

[wmenjoy]

Rancher 概念

参考

1. Rancher DockerHub
2. Rancher2.0 业务逻辑及概念

[wmenjoy]

Rancher 部署

高可用部署

参考

1. 使用Rancher Server部署本地多节点K8S集群
2. 学习rancher是如何管理k8s的
3. RKE安装kubernetes集群+Rancher 2.0安装
4. Rancher HA高可用集群部署文档
5. RKE部署rancher高可用集群
6. rke高可用部署K8S集群及rancher server 高可用
7. Rancher 2.2.2 - HA 部署高可用k8s集群
8. Rancher 2.4.3 - HA 部署高可用k8s集群

[wmenjoy]

Rancher的权限管理

可以通过project + namespace 来简单实现

[wmenjoy]

问题

Rancher 如何在线升级apiserver的配置？

[wmenjoy]

Cluster.yml

nodes:
    - address: 192.168.xxx.xxx
      user: root
      role:
        - controlplane
        - etcd
        - worker
services:
    etcd:
        extra_binds:
        - '/etc/localtime:/etc/localtime'
    kube-api:
        service_node_port_range: 30000-40000
        extra_binds:
        - '/etc/localtime:/etc/localtime'
        extra_args:
          # 开启podpresets
          runtime-config: "settings.k8s.io/v1alpha1=true"
          enable-admission-plugins: "NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,PersistentVolumeLabel,PodPreset"
          default-not-ready-toleration-seconds: 30
          default-unreachable-toleration-seconds: 30
    kube-controller:
        extra_binds:
        - '/etc/localtime:/etc/localtime'
        extra_args:
          #  设置evictioN策略
          pod-eviction-timeout: 30s
          node-monitor-grace-period: 16s
          node-monitor-period:  2s
    kubelet:
        extra_binds:
        - '/etc/localtime:/etc/localtime'
        extra_args:
          # 设置状态更新频率
          node-status-update-frequency: 4s
          eviction-pressure-transition-period: 20s
          # 每台机器最大部署100个pods
          max-pods: 100
          # kube保留内存
          kube-reserved: cpu=500m, memory=1000Mi
          # 系统保留内存
          system-reserved: cpu=500m, memory=1000Mi
         # 系统驱逐时间
          eviction-hard: memory.available<500Mi,nodefs.available<10%
          # 最小驱逐
 #eviction-minimum-reclaim: memory.available=0Mi,nodefs.available=500Mi,imagefs.available=2Gi
    kubeproxy:
        extra_binds:
        - '/etc/localtime:/etc/localtime'
# 对应k8s版本号 https://github.com/rancher/kontainer-driver-metadata/blob/master/rke/k8s_rke_system_images.go#
kubernetes_version: v1.16.9-rancher1-1
cluster_name: local

[wmenjoy]

Rancher OS

参考

1. Rancher OS入门
2. Rancher OS: en manual

[wmenjoy]

Rancher的k8s集群内安装

这里采用的ingress.tls.source=rancher, 其他方式待测试

安装步骤

1. 安装cert-manager

# Install the CustomResourceDefinition resources separately
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.crds.yaml

# **Important:**
# If you are running Kubernetes v1.15 or below, you
# will need to add the `--validate=false` flag to your
# kubectl apply command, or else you will receive a
# validation error relating to the
# x-kubernetes-preserve-unknown-fields field in
# cert-manager’s CustomResourceDefinition resources.
# This is a benign error and occurs due to the way kubectl
# performs resource validation.

# Create the namespace for cert-manager
kubectl create namespace cert-manager

# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io

# Update your local Helm chart repository cache
helm repo update

# Install the cert-manager Helm chart
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v1.0.4

2. 安装rancher-server

1. 有网安装

   helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
   kubectl create namespace cattle-system
   helm install rancher rancher-stable/rancher \
   --namespace cattle-system \
   --set hostname=localhost

2. 无网安装

   helm pull rancher-stable/rancher
   docker 离线导出rancher的相关镜像
   kubectl create namespace cattle-system
   helm install rancher rancher-$version.tgz \
   --namespace cattle-system \
   --set hostname=localhost  

参考

1. Rancher Docs: Install Rancher on a Kubernetes Cluster
2. Rancher Docs: Helm Chart Options

[wmenjoy]

系统镜像

1. k8s rke system images

[wmenjoy]

cert-manager

开源的ca中心

cert-manager is a Kubernetes add-on to automate the management and issuance of TLS certificates from various issuing sources.

It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry.

It is loosely based upon the work of kube-lego and has borrowed some wisdom from other similar projects e.g. kube-cert-manager.

镜像

amd64

quay.io/jetstack/cert-manager-webhook:v1.1.0      
quay.io/jetstack/cert-manager-cainjector: v1.1.0                 
quay.io/jetstack/cert-manager-controller:v1.1.0 
quay.io/jetstack/cert-manager-controller: v1.0.4
quay.io/jetstack/cert-manager-cainjector:v1.0.4
quay.io/jetstack/cert-manager-webhook:v1.0.4

arm64

quay.io/jetstack/cert-manager-webhook-arm64:v1.1.0      
quay.io/jetstack/cert-manager-cainjector-arm64: v1.1.0                 
quay.io/jetstack/cert-manager-controller-arm64:v1.1.0 
quay.io/jetstack/cert-manager-controller-arm64: v1.0.4
quay.io/jetstack/cert-manager-cainjector-arm64:v1.0.4
quay.io/jetstack/cert-manager-webhook-arm64:v1.0.4

参考

1. jetstack/cert-manager: Automatically provision and manage TLS certificates in Kubernetes

[wmenjoy]

Rancher 安装

1.arashkaffamanesh/multipass-rke-rancher: Rancher Kubernetes Engine and Rancher Server on Multipass VMs

[wmenjoy]

Rancher证书失效处理

解决方案

1. 进入 rancher server 容器,执行相关操作 docker exec -it rancher /bin/sh kubectl --insecure-skip-tls-verify -n kube-system delete secrets k3s-serving kubectl --insecure-skip-tls-verify delete secret serving-cert -n cattle-system rm -f /var/lib/rancher/k3s/server/tls/dynamic-cert.json

2. 请求刷新参数 curl --insecure -sfL https://localhost:8443/v3

3. 重启rancher server 容器 docker restart rancher