Kubernetes

Failed reason: Node port range can’t fixed! K3s ##### install ##### curl -sfL https://get.k3s.io | sh - ##### login https://192.168.99.119:6443/ get username/password ##### more /etc/rancher/k3s/k3s.yaml ##### change node-port range ##### k3s server –kube-apiserver-arg –service-node-port-range=1-65535 ##### install dashboard ##### k3s kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v1.10.1/src/deploy/recommended/kubernetes-dashboard.yaml –insecure-skip-tls-verify k3s kubectl create secret generic kubernetes-dashboard-certs –from-file=certs -n kube-system k3s kubectl apply -f dashboard-ClusterRoleBinding.yaml k3s kubectl apply -f dashboard-adminuser.yaml k3s kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep admin-user | awk ‘{print $1}’) ...

https://qhh.me/2019/08/pod 文件定义在 /etc/kubernetes/manifests/kube-apiserver.yaml15/Kubernetes-%E8%B0%83%E6%95%B4-nodePort-%E7%AB%AF%E5%8F%A3%E8%8C%83%E5%9B%B4/ 在 command 下添加 –service-node-port-range=1-65535 参数，修改后会自动生效，无需其他操作: apiVersion: v1 kind: Pod metadata: creationTimestamp: null labels: component: kube-apiserver tier: control-plane name: kube-apiserver namespace: kube-system spec: containers: - command: - kube-apiserver - --service-node-port-range=1-65535 - --advertise-address=192.168.26.10 - --allow-privileged=true - --authorization-mode=Node,RBAC - --client-ca-file=/etc/kubernetes/pki/ca.crt - --enable-admission-plugins=NodeRestriction - --enable-bootstrap-token-auth=true - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key - --etcd-servers=https://127.0.0.1:2379 - --insecure-port=0 - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key - --requestheader-allowed-names=front-proxy-client - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt - --requestheader-extra-headers-prefix=X-Remote-Extra- - --requestheader-group-headers=X-Remote-Group - --requestheader-username-headers=X-Remote-User - --secure-port=6443 - --service-account-key-file=/etc/kubernetes/pki/sa.pub - --service-cluster-ip-range=10.96.0.0/12 - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key image: registry.aliyuncs.com/google_containers/kube-apiserver:v1.15.2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 8 httpGet: host: 192.168.26.10 path: /healthz port: 6443 scheme: HTTPS initialDelaySeconds: 15 timeoutSeconds: 15 name: kube-apiserver resources: requests: cpu: 250m volumeMounts: - mountPath: /etc/ssl/certs name: ca-certs readOnly: true - mountPath: /etc/pki name: etc-pki readOnly: true - mountPath: /etc/kubernetes/pki name: k8s-certs readOnly: true hostNetwork: true priorityClassName: system-cluster-critical volumes: - hostPath: path: /etc/ssl/certs type: DirectoryOrCreate name: ca-certs - hostPath: path: /etc/pki type: DirectoryOrCreate name: etc-pki - hostPath: path: /etc/kubernetes/pki type: DirectoryOrCreate name: k8s-certs status: {}

Error： User “system:serviceaccount:kube-system:default” cannot get resource “namespaces” https://github.com/fnproject/fn-helm/issues/21#issuecomment-545317241 kubectl create serviceaccount --namespace kube-system tiller kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}' helm init --upgrade --service-account tiller

On root home openssl req -nodes -newkey rsa:4096 -keyout certs/docker-registry.key -out certs/docker-registry.csr -subj "/C=/ST=/L=/O=/OU=/CN=docker-registry" openssl x509 -req -sha256 -days 365 -in certs/docker-registry.csr -signkey certs/docker-registry.key -out certs/docker-registry.crt docker run -dp 5000:5000 --name registry -v "$(pwd)"/certs:/certs \ -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/docker-registry.crt \ -e REGISTRY_HTTP_TLS_KEY=/certs/docker-registry.key \ registry nano /etc/hosts > 192.168.99.118 docker-registry cd /etc/docker mkdir certs.d cd certs.d mkdir docker-registry:5000 cd docker-registry:5000 cp ~/certs/docker-registry.crt ca.crt ===== check registry is working docker image pull busybox docker image tag busybox docker-registry:5000/mybusybox docker image push docker-registry:5000/mybusybox docker run --rm docker-registry:5000/mybusybox echo "Hello from busybox" // docker rmi busybox docker-registry:5000/mybusybox docker run --rm docker-registry:5000/mybusybox echo "Hello from busybox" ===== remove registry docker container stop registry && docker container rm -v registry https://jkzhao.github.io/2017/09/01/Registry%E7%A7%81%E6%9C%89%E4%BB%93%E5%BA%93%E6%90%AD%E5%BB%BA%E5%8F%8A%E8%AE%A4%E8%AF%81/ ...

https://github.com/fanux/sealos