Use kubeasz to install K8S cluster, not affected by domestic network environment


1. Preliminary preparation

  • A machine with Ubuntu or CentOS installed (it can be a virtual machine). In this paper, the Ubuntu 19.10 virtual machine is used, with 2g memory
  • Configure basic network, update source, SSH login, etc

2. Download and install kubeasz

# Download the tool script easzup, for example, use kubeasz version 2.0.2
export release=2.0.2
curl -C- -fLO --retry 3${release}/easzup
chmod +x ./easzup
# Download using tool script
./easzup -D

It will wait a long time in the last step, and the final result shows that the next step can be carried out successfully.

3. Configure ssh password free login

Allow PermitRootLogin first:

vim /etc/ssh/sshd_config

Locate PermitRootLogin and modify the row configuration to:

PermitRootLogin yes

The key is then generated:

ssh-keygen -t rsa -b 2048 -N '' -f ~/.ssh/id_rsa
ssh-copy-id $IP # $IP is the address of all nodes, including itself. Enter yes and root password as prompted

Here, my host IP is, that is:


4. Install cluster

To run kubeasz using tool script containerization:

./easzup -S

It will take a long time here, and it is still the last successful display to continue to the next step:

docker exec -it kubeasz easzctl start-aio

When you are finished, you can verify the following installation:

kubectl version                   # Verify cluster version     
kubectl get componentstatus       # Verify the status of components such as scheduler / Controller Manager / etcd
kubectl get node                  # Verify node ready status
kubectl get pod --all-namespaces  # Verify the cluster pod status. By default, network plug-ins, coredns, metrics server, etc. have been installed.
kubectl get svc --all-namespaces  # Verify cluster service status

5. Install and deploy Dashboard

To deploy the dashboard primary yaml configuration file:

kubectl apply -f /etc/ansible/manifests/dashboard/kubernetes-dashboard.yaml

To create a read-write admin Service Account:

kubectl apply -f /etc/ansible/manifests/dashboard/admin-user-sa-rbac.yaml

To create a read-only read Service Account:

kubectl apply -f /etc/ansible/manifests/dashboard/read-user-sa-rbac.yaml

Then, verify the installation:

# View pod running status
kubectl get pod -n kube-system | grep dashboard
kubernetes-dashboard-7c74685c48-9qdpn   1/1       Running   0          22s
# View dashboard service
kubectl get svc -n kube-system|grep dashboard
kubernetes-dashboard   NodePort   <none>        443:24108/TCP                   53s
# View cluster services
kubectl cluster-info|grep dashboard
kubernetes-dashboard is running at
# View pod run log
kubectl logs kubernetes-dashboard-7c74685c48-9qdpn -n kube-system

6. Dashboard access control (cannot be skipped)

The new Dashboard has two steps of access control:

  1. Pass API server security authentication process
  2. Login process of dashboard

If we don't set access control, we can't enter the UI interface. Although we just want to try kubernetes, we can't skip this step.

Let's start with the first step.

API server security authentication

The official document provides two authentication methods, user name + password access, and certificate access.

Certificate access is the most secure and reliable method, but its configuration is very complex. In order to use it quickly, we first use the user name + password access method.

The first is the configuration of user name and password. The configuration file is in / etc / kubernetes / SSL / basic auth.csv, where you can see the initial account password and modify it if necessary:

vim /etc/kubernetes/ssl/basic-auth.csv

Next, we turn on access control:

docker exec -it kubeasz easzctl basic-auth -s

Dashboard security certification

Dashboard supports two login methods: Kubeconfig and token. This time, we directly use token to login:

# Create Service Account and ClusterRoleBinding
kubectl apply -f /etc/ansible/manifests/dashboard/admin-user-sa-rbac.yaml
# Get the Bearer Token and find the line at the beginning of 'token:' in the output
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk '{print $1}')

Now you can access the Dashboard through the browser. The url can be obtained by the following command:

kubectl cluster-info|grep dashboard

Enter the token to complete the login.

Tags: Linux Kubernetes ssh ansible github

Posted on Sat, 09 Nov 2019 08:14:57 -0500 by spaggle