https://github.com/kubernetes/cloud-provider-alibaba-cloud/blob/master/docs/getting-started.md
1.创建ccm用到的cm
mkdir slb cd slb AccessKeyID= AcceessKeySecret= AccessKeyID-base64=`echo -n "$AccessKeyID" |base64` AcceessKeySecret-base64=`echo -n "$AcceessKeySecret"|base64` vim cloud-config.yaml apiVersionv1 kindConfigMap metadata namecloud-config namespacekube-system data cloud-config.conf- "Global" "accessKeyID""$AccessKeyID" "accessKeySecret""$AcceessKeySecret-base64"kubectl apply -f cloud-config.yaml
2.获取ccm用到的元数据
curl100.100.100.200/latest/meta-data/hostname curl100.100.100.200/latest/meta-data/instance-id vim /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf Environment="KUBELET_CLOUD_PROVIDER_ARGS=--cloud-provider=external --hostname-override=iZj6c3ydyj9t4ztmha08rbZ --provider-id=cn-hongkong.i-j6c3ydyj9t4ztmha08rb"Environment="--system-reserved=memory=300Mi --kube-reserved=memory=400Mi --eviction-hard=imagefs.available<15%,memory.available<300Mi,nodefs.available<10%,nodefs.inodesFree<5% --cgroup-driver=systemd"$KUBELET_CLOUD_PROVIDER_ARGS$KUBELET_CGROUP_ARGSsystemctl daemon-reload systemctl restart kubelet
3.修改kube-apiserver
vim /etc/kubernetes/manifests/kube-apiserver.yaml ---cloud-provider=external
4.获取证书
cat /etc/kubernetes/pki/ca.crt|base64 -w 0 vim /etc/kubernetes/cloud-controller-manager.conf kindConfig contextscontext clusterkubernetes usersystemcloud-controller-manager namesystemcloud-controller-manager@kubernetes current-contextsystemcloud-controller-manager@kubernetes usersnamesystemcloud-controller-manager user tokenFile/var/run/secrets/kubernetes.io/serviceaccount/token apiVersionv1 clusterscluster certificate-authority-data$ca.crt serverhttps//172.16.1.1936443 namekubernetes
5.创建ds
apiVersionrbac.authorization.k8s.io/v1 kindClusterRole metadata namesystemcloud-controller-manager rulesapiGroups"" resourcesevents verbscreate patch update apiGroups"" resourcesnodes verbsget list watch delete patch update apiGroups"" resourcesnodes/status verbspatch update apiGroups"" resourcesservices verbsget list watch update patch apiGroups"" resourcesservices/status verbsupdate patch apiGroups"" resourcesserviceaccounts verbscreate apiGroups"" resourcesendpoints verbsget list watch create patch update apiGroupscoordination.k8s.io resourcesleases verbsget list update create apiGroupsapiextensions.k8s.io resourcescustomresourcedefinitions verbsget update create delete ---apiVersionv1 kindServiceAccount metadata namecloud-controller-manager namespacekube-system ---kindClusterRoleBinding apiVersionrbac.authorization.k8s.io/v1 metadata namesystemcloud-controller-manager roleRef apiGrouprbac.authorization.k8s.io kindClusterRole namesystemcloud-controller-manager subjectskindServiceAccount namecloud-controller-manager namespacekube-system ---apiVersionapps/v1 kindDaemonSet metadata labels appcloud-controller-manager tiercontrol-plane namecloud-controller-manager namespacekube-system spec selector matchLabels appcloud-controller-manager tiercontrol-plane updateStrategy rollingUpdate maxUnavailable1 typeRollingUpdate template metadata labels appcloud-controller-manager tiercontrol-plane annotations scheduler.alpha.kubernetes.io/critical-pod"" spec serviceAccountNamecloud-controller-manager tolerationsoperatorExists nodeSelector node-role.kubernetes.io/master"" containersnamecloud-controller-manager securityContext readOnlyRootFilesystemtrue allowPrivilegeEscalationfalse runAsNonRoottrue runAsUser1200 command/cloud-controller-manager --kubeconfig=/etc/kubernetes/cloud-controller-manager.conf --cloud-config=/etc/kubernetes/config/cloud-config.conf --metrics-bind-addr=0 #For terway configuration--configure-cloud-routes=false imageregistry-vpc.cn-shanghai.aliyuncs.com/acs/cloud-controller-manager-amd64v2.0.1 livenessProbe failureThreshold8 httpGet host127.0.0.1 path/healthz port10258 schemeHTTP initialDelaySeconds15 timeoutSeconds15 resources requests cpu100m memory200Mi limits cpu1000m memory1Gi volumeMountsmountPath/etc/kubernetes/cloud-controller-manager.conf namek8s readOnlytruenamecloud-config mountPath/etc/kubernetes/config hostNetworktrue volumeshostPath path/etc/kubernetes/cloud-controller-manager.conf typeFile namek8s namecloud-config configMap namecloud-config itemskeycloud-config.conf pathcloud-config.conf
6.验证
由于是单节点集群测试,故使用local模式的流量策略
root@izj6c3ydyj9t4ztmha08rbz slb# kubectl get svc nginx -o yaml apiVersionv1 kindService metadata creationTimestamp"2021-11-18T22:36:48Z" finalizersservice.k8s.alibaba/resources labels appnginx service.beta.kubernetes.io/hash73b160d328a26d99ed855f80117a95610f38768c282bc4bc5606bdc3 namenginx namespacedefault resourceVersion"12502" uid9c897582-0484-41b8-b983-32626599b4c1 spec allocateLoadBalancerNodePortstrue clusterIP10.98.194.116 clusterIPs10.98.194.116 externalTrafficPolicyLocal healthCheckNodePort30738 internalTrafficPolicyCluster ipFamiliesIPv4 ipFamilyPolicySingleStack portsnodePort32093 port80 protocolTCP targetPort80 selector appnginx sessionAffinityNone typeLoadBalancer status loadBalancer ingressip47.242.151.91
7.访问测试
7.1 node节点访问
7.2 pod访问
7.3 查看日志
8.ram权限
ps: 如果是ram用户需要授权如下策略
{ "Version": "1", "Statement": [ { "Action": [ "ecs:Describe*", "ecs:AttachDisk", "ecs:CreateDisk", "ecs:CreateSnapshot", "ecs:CreateRouteEntry", "ecs:DeleteDisk", "ecs:DeleteSnapshot", "ecs:DeleteRouteEntry", "ecs:DetachDisk", "ecs:ModifyAutoSnapshotPolicyEx", "ecs:ModifyDiskAttribute", "ecs:CreateNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:AttachNetworkInterface", "ecs:DetachNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:DescribeInstanceAttribute" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "cr:Get*", "cr:List*", "cr:PullRepository" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "slb:*" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "cms:*" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "vpc:*" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "log:*" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "nas:*" ], "Resource": [ "*" ], "Effect": "Allow" } ] }
